AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


HEARING ON VERIHCATION, SECURITY AND 
PAPER RECORDS FOR OUR NATION’S 
ELECTRONIC VOTING SYSTEMS 


HEARING 

BEFORE THE 

COMMITTEE ON HOUSE 
ADMINISTRATION 
HOUSE OF REPRESENTATDH]S 

ONE HUNDRED NINTH CONGRESS 
SECOND SESSION 


Hearing held in Washington, DC, September 28, 2006 


Printed for the use of the Committee on House Administration 





HEARING ON VERIHCATION, SECURITY AND 
PAPER RECORDS 

FOR OUR NATION’S ELECTRONIC VOTING 
SYSTEMS 


HEARING 

BEFORE THE 

COMMITTEE ON HOUSE 
ADMINISTRATION 
HOUSE OF REPRESENTATDH]S 

ONE HUNDRED NINTH CONGRESS 

SECOND SESSION 

Hearing Held in Washington, DC, September 28, 2006 

Printed for the Use of the Committee on House Administration 



U.S. GOVERNMENT PRINTING OFFICE 
31-270 WASHINGTON : 2007 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 



COMMITTEE ON HOUSE ADMINISTRATION 

VERNON EHLERS, Chairman 

ROBERT W. NEY, Ohio JUANITA MILLENDER-McDONALD, 

JOHN L. MICA, Florida California, 

CANDICE MILLER, Michigan Ranking Minority Member 

JOHN T. DOOLITTLE, California ROBERT A. BRADY, Pennsylvania 

THOMAS M. REYNOLDS, New York ZOE LOFGREN, California 


Will Plaster, Staff Director 
George Shevlin, Minority Staff Director 


(H) 



VERIFICATION, SECURITY AND PAPER 
RECORDS FOR OUR NATION’S ELECTRONIC 
VOTING SYSTEMS 

THURSDAY, SEPTEMBER 28, 2006 

House of Representatives, 
Committee on House Administration, 

Washington, DC. 

The committee met, pursuant to call, at 10:03 a.m., in room 
1310, Longworth House Office Building, Hon. Vernon Ehlers (chair- 
man of the committee) presiding. 

Present: Representatives Ehlers, Ney, Doolittle, Millender- 
McDonald, Brady and Lofgren. 

Also Present: Representative Holt. 

Staff Present: Paul Vinovich, Counsel; Gineen Beach, Counsel; 
Peter Sloan, Professional Staff; George F. Shevlin, Minority Staff 
Director; Charles Tracy Howell, Minority Chief Counsel; Thomas 
Hicks, Minority Elections Counsel; Mathew A. Pinkus, Minority 
Parliamentarian, Janelle Rene Hu, Minority Professional Staff; 
Teri A. Morgan, Legislative Director, Office of Representative 
Brady; Stacey E. Leavandosky, Chief of Staff, Office of Representa- 
tive Zoe Lofgren; and Joel Vanderver, Intern, Office of Representa- 
tive Zoe Lofgren. 

The Chairman. Good morning, ladies and gentlemen. The Com- 
mittee on House Administration will come to order. First I would 
like to advise and request all members of our audience here today 
that all cellular phones, pagers, and other electronic equipment 
must be silent to prevent interruption of our business. So I would 
appreciate it if you would turn these devices off, as I have. 

The committee is meeting today for a hearing on electronic vot- 
ing machines and related issues. The election that will occur in just 
a few weeks will be the first general Federal election conducted 
since the Help America Vote Act of 2002, better known as HAVA, 
was fully implemented. That act, passed by this Congress in re- 
sponse to the voting system weaknesses exposed during the 2000 
recount in Florida, set new standards for voting systems that were 
meant to make our elections more accurate and accessible. 

Three billion dollars were appropriated by the Congress pursuant 
to HAVA, with most of these moneys being dedicated to new equip- 
ment purchases by jurisdictions, localities, counties, cities, town- 
ships, et cetera, that wanted to improve their voting systems. As 
a result many jurisdictions are using new equipment for the first 
time this year. It is no surprise that there have been a few prob- 
lems. 

Though HAVA did not require the adoption of any particular 
kind of technology, many jurisdictions purchased electronic voting 

( 1 ) 



2 


systems because they felt these systems were best able to meet the 
requirements of HAVA. Not surprisingly, some jurisdictions using 
this equipment for the first time have encountered some difficul- 
ties. Just two weeks ago, in nearby Montgomery County, Maryland 
polls were not able to open on time because poll workers were sent 
to their posts without the cards necessary to start up the electronic 
machines. 

In the wake of this episode a column appeared in the Wash- 
ington Post under the headline: If Paper Ballots Restore Trust in 
Elections, Let’s Switch. The column noted people trust paper bal- 
lots because they are real. You can hold them in your hand and 
count them again if you need to. 

Indeed, before it had electronic voting systems, Montgomery 
County used a punch system. Need we be reminded of the problems 
we had with that system. 

I direct your attention to the screen above. The audience can look 
at that one, we will look at this one. This is a reminder of what 
we saw in the 2000 election in Florida, images of people with paper 
ballots. This one is a group of people staring at paper punch cards 
trying to figure out if they constitute a vote, and if so, for whom. 

If you look at the second slide, you see how closely these ballots 
were being examined by groups. 

And the third slide shows the extreme: putting things under the 
magnifying glass. You can see this man has got paper. 

Now, I am not showing these to condemn paper, I am just point- 
ing out that punch cards with paper, rather thick paper at that, 
have caused some serious problems. Simply saying “Let’s use 
paper,” as some people are saying, does not mean all the problems 
go away. We have to consider all the different aspects of it, and 
these pictures, as you can tell, were taken in Florida during the 
2000 recount. That will go down in history, I am sure, because of 
the recount and the ramifications. 

These images do not inspire trust and confidence either in the 
punch card system or in voting systems in general. As we look at 
this problem, it is worthwhile to remember the famous words of 
H.L. Mencken who once said, “For every complex problem there is 
an answer that is clear, simple, and wrong.” 

We would like to have answers that are clear and simple, but we 
certainly do not want wrong answers, and so we are going to pro- 
ceed with this very thoroughly and deliberately to try to make sure 
that we have good answers that are right. Unfortunately, the prob- 
lem some jurisdictions have experienced with their new systems 
have caused some to suggest that we should revert to a reliance on 
paper, the so-called “paper trail” or “paper tape.” We know from 
painful and bitter experience that paper systems also can fail to de- 
liver accurate results and are susceptible to manipulation. 

To ignore this reality and assert that paper somehow ensures in- 
tegrity or a correct result is simplistic and wrong. In fact, no voting 
system by itself can guarantee election integrity. The best system 
on earth will fail if not properly maintained, deployed and oper- 
ated, and that is the key point that we have to remember. 

Even though I am a physicist and I have used computers since 
1957, I am not saying by virtue of these comments that paper is 
bad. Electronics, of course, is good. I have used that for many 



3 


years. I know that can fail too if not programmed or operated prop- 
erly. 

I believe the important point is to design the best system you 
can, but make sure you have auditability built in, whether it is 
paper or some other electronic device. 

Our hearing will examine a range of issues related to electronic 
voting machines. We will hear about their problems but also about 
their benefits. We will also hear about the experience in one juris- 
diction that tried to address the security concerns of a paperless 
system by requiring the machine to generate a paper trail. 

This hearing is being held to educate the members and the pub- 
lic about these complicated issues. I hope when the hearing is over, 
we will have a better understanding of the problems and benefits 
of these new technologies. I also hope that as we look for solutions 
to these complicated problems, we resist the temptation to settle on 
answers that are clear, simple and wrong. 

[The information follows:] 



<>-n 

House Administration 


4 


Electronic Voting Machines: 
Verification, Security, and Paper Trails 

September 28, 2006 


Opening Statement by Chairman Vernon J. Ehlers 


Good morning ladies and gentleman, the Committee on House Administration 
will come to order. The Committee meets today for a hearing on electronic voting 
machines. 

The election that will occur in just a few weeks will be the first general federal 
election conducted since the Help America Vote Act of 2002, or HAVA, was fully 
implemented. That Act, passed by this Congress in response to the voting system 
weaknesses exposed during the 2000 recount in Florida, set new standards for voting 
systems that were meant to make our elections more accurate and accessible. 

Three billion dollars were appropriated pursuant to HAVA, with most of these 
monies being dedicated to new equipment purchases by jurisdictions that wanted to 
improve their voting systems. As a result, many jurisdictions are using new equipment 
for the first time this year. 

Though HAVA did not require the adoption of any particular kind of technology, 
many jurisdictions purchased electronic voting systems because they felt these systems 
were best able to meet the requirements of HAVA. Not surprisingly, some jurisdictions 
using this new equipment for the first time have encountered some difficulties. 

Just two weeks ago, in nearby Montgomery County, Maryland, polls were not 
able to open on time because poll workers were sent to their posts without the cards 
necessary to start up the electronic machines. 

In the wake of this episode, a column appeared in the Washington Post imder the 
headline, “If Paper Ballots Restore Trust in Elections, Let’s Switch.” The column noted 
- “People trust paper ballots because they’re real. You can hold them in your hand and 
count them again if you need to.” 

Before it had electronic voting machines, Montgomery County used a punch card 
system. Need we be reminded of the problems we had with that system? I would direct 
your attention to the screen above. You will see there some images of people with paper 
ballots. 


Here’s one of a group of people staring at paper punch cards trying to figure out if 
they constitute a vote and if so for whom. 

You can see this gentleman holding a ballot in his hand and trying to count it. You can 
see this man has “Got Paper” 

These pictures, of course, were taken in Florida during the 2000 recount. Do 
these images inspire trust and confidence? 

H.L. Mencken once said, "For every complex problem there is an answer that is 
clear, simple, and wrong." 



House Administration 


5 


Electronic Voting Machines: 
Verification, Security, and Paper Trails 

September 28, 2006 


Unfortunately, the problems some jurisdictions have experienced with their new 
systems have caused some to suggest that we should revert to a reliance on paper. 

We know from painful and bitter experience, that paper systems can fail to deliver 
accurate results and are susceptible to manipulation. To ignore this reality, and assert that 
paper somehow ensures integrity is simplistic and wrong. 

In fact, no voting system, by itself, can guarantee election integrity. The best 
system on earth will fail if not properly maintained and deployed. 

Our hearing today will examine a range of issues related to electronic voting 
machines. We will hear about their problems, but also their benefits. We will also hear 
about the experience in one jurisdiction that tried to address the security concerns of a 
paperless system by requiring the machine to generate a paper trail. 

This hearing is being held to educate the Members, and the public, about these 
complicated issues. I hope when the hearing is over, we will have a better understanding 
of the problems and benefits of these new technologies. I also hope that as we look for 
solutions to these complicated problems, we resist the temptation to settle on answers that 
are clear, simple and wrong. 



6 


The Chairman. Now I would like to ask unanimous consent that 
the gentleman from New Jersey, Representative Russ Holt, who is 
the author of a bill dealing very much with one aspect of this, be 
allowed to join us on the dais today and that he may be permitted 
to ask questions of the witnesses and enter his statement into the 
record. Without objection, so ordered. 

[The information follows:] 



7 


Statement of Representative Rush Holt 
to the 

Committee on House Administration 

Hearing on Electronic Voting Machines: Verification, Security, and Paper Trails 
September 28, 2006 

Chairman Ehlers, Ranking Member Millender-McDonald, Honored Members of the 
Committee, I would like to thank you for addressing the critical matter of the security of 
our electronic voting equipment and the integrity of the vote count. However, as I stated 
when I addressed you on the occasion of your hearing on the Hyde voter identification 
bill in June, and your hearing on the Voluntary Voting System Guidelines in July, this is 
a matter that urgently required attention long before now. 

We must be honest with ourselves. The risks and dangers that accompany our use of 
electronic voting equipment are neither theoretical nor hypothetical. The problems we 
have experienced with this equipment are not taking place in a test lab, they are taking 
place in actual elections. It is nothing less than foolhardy, with the November elections 
mere weeks away, to take no action to ensure that the vote count in every race will be 
independently verifiable. As the September 20 editorial in Roll Call so succinctly put it, 
“[tjhere’s no way around it: If Nov. 7 is a mess, Congress will be to blame.” 

When I addressed the Committee in July, I recounted a number of irregularities that had 
already occurred during the primary season. The irregularities that occurred on electronic 
systems that counted voter verified paper ballots were able to be resolved, while the 
irregularities that occurred on electronic machines without voter verified paper records 
were not. For example it was reported that in May, in Grand Rapids Michigan, software 
in optical scanners erroneously gave votes to non-existent write-in candidates. Brand 
new machines malfunctioned in 15 of 16 townships and the town of Hastings in Barry 
County; in only one township, as confirmed by a hand count of the optical scan ballots, 
did the software count the votes accurately. In June, in Pottawattamie County, Iowa, 
software in optical scanners recorded votes inaccurately and a hand count of optical scan 
absentee ballots reversed the result. But in June, in Leflore and Jackson Counties, 
Mississippi, various glitches were experienced in the use of new paperless touch screen 
voting machines, including ballots not being properly customized for each precinct. An 
AP story published about the irregularities quoted a County-level political official as 
sa)dng; "If a hacker comes in and hacks that program, what are we going to do then? . . 
.We're praying that everything will work out for us." 

Those were merely a few of the numerous irregularities that have marred this year’s 
primary season. I am submitting with this testimony a more extensive list, prepared by 
the voting integrity organization VotersUnite.org based upon published news accounts 
and sorted by state, that sets forth 18 reported instances of electronic voting irregularities 
in eight different states (Arkansas, Indiana, Iowa, Michigan, Mississippi, Montana, Texas 
and West Virginia), all of which took place between March and June of 2006. This list 
doesn’t include the well-publicized meltdown that occurred most recently in Maryland. 

In the instances in which there were voter verified paper records available - such as those 



8 


in Pottawattamie County Iowa and Barry County Michigan - the irregularities could be 
resolved. In the instances in which there were no voter- verified paper records, officials 
were - again - left to “pray” that everything would work out. 

What does this all mean? According to prominent political analysts, in November, 45 
Congressional races will be competitive or highly-competitive. However, the vote count 
in 22 of those competitive or highly competitive Congressional races will not be 
independently verifiable. Going to court will be virtually pointless in every one of those 
22 instances. There will be no way to resolve vote-counting disputes in 22 races - no 
way to prove to the losers that they lost, and no way to reassure the public that the vote 
reflects the will of the majority. 

We are plunging head first right into it. What on earth for? This works for none of us. 

Some people tell me “you know, 1 basically agree with you, but it would create chaos to 
make a change in election procedures at this juncture.” I think the evidence from the 
primary season show just the opposite. We are clearly in chaos. 

In September 2005, the bipartisan Carter Baker Commission on Federal Election Reform 
recommended that “Congress should pass a law requiring that all voting machines be 
equipped with a voter-verifiable paper audit trail” in order to “provide a backup in cases 
of loss of votes due to computer malfunction.” It further noted that “paper trails and 
ballots currently provide the only means to meet the Commission’s recommended 
standards for transparency.” 

In June of this year, the non-partisan Brennan Center for Justice at New York University, 
working in conjunction with the National Institute of Standards and Technology, Ron 
Rivest of M.I.T, Howard Schmidt (former White House Cyber-Security Advisor for 
George W. Bush and former chief security officer for Microsoft and for eBay), and other 
computer security experts, released the most comprehensive and rigorous analysis to date 
of e-voting security risks and remedies. The Brennan Center report found that “[ajll three 
[major types of] voting systems [used in the United States] have significant security and 
reliability vulnerabilities, which pose a real danger to the integrity of national, state, and 
local elections.” To mitigate those risks, the report recommended a voter-verified paper 
record accompanied by automatic routine random audits and a ban on the use of voting 
machines with wireless components. 

That same month, the National League of Women Voters, responding to increasing 
demand from its membership, issued similar recommendations in a resolution passed at 
its Annual Convention in June. The resolution states that the League of Women Voters 
“supports only voting systems that are designed so that: they employ a voter-verifiable 
paper ballot or other paper record, said paper being the official record of the voter’s intent 
.... the paper ballot/record is used for audits and recounts . . . and routine audits of the 
paper ballot/record in randomly selected precincts can be conducted in every election.” 



9 


My legislation, the Voter Confidence and Increased Accessibility Act of 2005 (H.R. 550), 
would implement all of the basic e-voting security recommendations of the Carter Baker 
Report, the Brennan Center Report and the League of Women Voters resolution. It 
would establish a uniform national requirement for; 

a voter-verified paper record for every vote cast, which would serve as the vote of record; 

routine random audits of a small percentage of the electronic tallies of the votes in every 
State, including at least one precinct in every county; 

a band on the use of undisclosed software; 

a ban on the use of wireless devices; 

Federal funding to pay for the implementation of the paper record requirement; and 

Voter verification mechanisms that are fully accessible to disabled voters, including a 
requirement that the entire process of verification be made accessible to disabled voters. 

HR 550 was written to be effective in time for the November 2006 elections. You still 
have time to act. There are 1,050 counties in the United States that will use touch screen 
voting machines in November. Except for the touch screen machines used in the State of 
Nevada, which are equipped with voter verified paper record printers, almost none of 
them will be independently auditable. However, all of those counties could use absentee 
ballots, or emergency ballots, both of which should already be available or in the final 
stages of preparation in all of those jurisdictions. If you act today, those jurisdictions 
would have time to print enough absentee and/or emergency ballots for use by all of their 
voters. If they did, voters in every State, and in every Congressional race, would have the 
equal protection of an independently verifiable vote count in November. More 
importantly, we would all be able to prove to each other - winners and losers alike - who 
is really entitled to control of the House in the next Congress. 

I thank the Committee again for giving its time and attention to this critical matter, and I 
urge the Committee to consider passing emergency legislation consistent with my Voter 
Confidence and Increased Accessibility Act as expeditiously as possible. 



10 


Vote-Switching Software Provided by Vendors 

A Partial List — 51 Ballot Programming Flaws Reported in the News 
These were detected; how many were not? 

Ballot programming maps votes to candidal. Flaws cause votes to be counted wrong, often leaving 
totals unchanged. Voting machine vendors do tire ballot programming for most jurisdictions in the U.S. 


South Dakota. 
Nov 2002. ES&S 
optica! scan [25] 


Sarpy Co, NE Nov. 
2004. ES&S 
optica! scan [23] 


Lake Co, IL. April 
2003. ES&S 
Optical scan [21] 


Harrison Co., IN 
May 2006. ES&S 
optical scan [5] 

Kanawha Co, WV. 
May 2006. ES&S 
optical scan [7] 



Lubbock Co, TX. 
March 2004. ES&S 
optical scan [20] 


Tarrant Co,, TX May 
2006, Hart Intercivic 
evote madiine [12] 


Webb CO, TX. March 2006. 
ES&S optical scan [15] 


PtJaski, Phillips CO, AR. 

May 2006. ES&S optical scan [10] 


Miami-Dade Co., FL April 2002. ES&S 
touch screens & optical scan [28] 


Detailed descriptions 


www.VotersUnite.Org/info/mapVoteSwitch.pdf 




11 


[1] Faulty voting machines delay results; counting under 
way. The Daily Nonpareil Online. June 7, 2006. Tim 
Rohwer, Staff Writer. 

http://www.zwire,com/site/news.cfm?newsid='1675 

1509&BRD=2703&PAG=461&deptJd=555106&rfi“6 

[2] Too Much, Too Fast, More Than They Can Chew. 
VoteTrustUSA. June 9, 20%. John Gideon. 

http:// WWW .votetrustusa.org/ index.php?option=com 
_content&task=view&:id=1378&Itemid=51 

[3] Voters to decide candidates in runoff. The Daily 
Citizen. June 12, 2006. Jeff Hunter. 
http://www.thedailycitizen.com/articles/2006/06/13 
/news/ top_stories/top01.txt 

[4] Glitch, absentee votes slow results. Great Falls 
Tribune. June 8, 2006. Sonja Lee, Tribune Staff Writer, 
http:// www.grea tfallstribune.com/apps/pbcs.dll/art 
icle?AID=/20060608/NEWS01/606080310/1002 

[5] Ballot-counting problem. WHASll.com. May 15, 

^06. http:/ /www.whasll.com/topstories/stories/ 
WHASll_TOP_ballotcounting.42e3d88f.html 

[6] Several Counties Have Vote Counting Problems. 
WOWKJV 13. May 10, 2006. Dave Kirby. 
http://wowktv,com/story.cfm?func=viewstory&story 
id=10787 

[7] Kanawha's dry run of voting machines remains 
incomplete. Charleston Gazette. May 03, 2006. Archive 
http;// WWW .votersunite.org/ article.asp?id=6596 

[8] Election test delayed. TMCnet. May 1, 2006, by 
Charleston Gazette writer Phil Kabler and AP. http;// 
www.tmcnet.com/ usubmit/2006/05/01/1628275.htm 

[9] Vendor bender. City clerk blames ES&S for Election 
Day difficulties. Times Record News. May 14, 2006. 
Robert Morgan. Archived at 

http:// www.votersunite.org/ article, asp?id-6598 

[10] Recount Planned In Close Race For State House 
Nomination. Todays THV. June Z 2006, htlp:/ /www. 
todaysthv.com/news/news.aspx ?stoiyid=29413 

[11] Eight counties won't use electronic equipment in 
runoff. The Log Cabin Democrat. June 9, 2006. by 
Andrew DeMillo, AP. http://ap.thecabm.net/ 
pstories/state/ar/20060609/4000271.shtml 

[12] Ballot problems mark Ist day of early voting. Star- 
Telegram. May 2, 2006. Nell Strassman. http; / / 
www.dfw.com/mld/dfw/news/local/14479735.htm 

[13] Malfunction delays Hasting results. Tlie Grand 
Rapids Press. May 04, 2006. By Ben Cunningham. 
http://www.mlive.com/news/grpTess/index.ssf7/ba 
se/ news-0/ 1146754492135040,xmi&coll=6 

[14] Most voting goes smoothly. A few glitches in 
primary, not serious. Sun Herald. June 7, 2006. By 
Shelia Byrd, AP. http://www.sunherald.com/ 
mld/sunherald/news/state/14758095.htm 


Detailed descriptions 


[15] Election Uproar; County officials say there were plenty 
of red flags. Laredo Morning Times, March 14, 2006 by 
Julie Daffem. http:/ / www.zwire.com/site/ index.cfm? 
newsid=16299334&BRD=2290&PAG=461&deptJd=4734 
78&rfi=8 

[16] About 600 Medford ballots cast in November ignored. 
Mar l^ 2005. Marshfield News-Herald. 

http:/ / WWW. wisinfo.com / ne wsherald / mnhlocal / 28404 
9485656926.shtml 

[17] Computer glitch blamed for miscount in JP voting. 
Carroll County Star Tribune. November 10, 1004. By 
Anna Mathews. Reproduced at 

htfp;/ / www.votersunite.org/ article.asp?id=3889 

[18] Clerk changes election vote totals. Star-Tribune. 

August 21, 2004. By Matthew Van Dusen, staff writer. 

hHp;//www.casperstartribune.net/articles/2004/08/21 

/news/casper/6c2e825b3f9el54187256ef70007adbb.txt 

[19] Commission OKs results of elections. Jonesboro Sun, 
May 28, 2004. By LeAnn Askins. http;/ /www. 
ionesborosun.com/archivedstory.asp?lD=9486 

[20] Software blamed in Precinct 8 Democratic chair race 
mixup. Lubbock online.com; March 11, 2004; By Brian 
Williams, Avalanche-JoumaJ. http://www, 
lubbockonlme.eom/stories/031104/loc_031104030.shtml 

[21] Returns are in: Software goofed — Lake County tally 
misled 15 hopefuls. Chicago Tribune; April 4, 2003; By 
Susan Kuezk^ Tribune staff reporter. Reproduced at 
http://www.vote.caltech.edu/maii- 
archives/votingtech/ Apr-2003/ 0096.html 

[22] Voting snafu answers elusive. The Mobile Register; 28 
Jan 2003; by Brendan Kirby, staff writer. Referenced at 
http:/ / www.votewatch.us/Members/ Unregistered %20 
User/ electionexperience.2004-08-12, 9166974619 

[23] A late night in Sarpy; glitches delay results. Omaha 
World-Herald, 6 November 2002; Referenced in Black 
Box Voting, by Bev Harris. Chapter 2. 

[24] Winners’ may be losers. The News and Observer; 
November 12, 2002; By Wade Rawlins and Rob 
Christensen. 

[25] Analysis: Senate races in Minnesota and South Dakota. 
NPR: Morning Editioa 6 November 2002; Ref. in Black 
Box Voting by Bev Harris, Chapter 2. 

[26] Mechanic to smooth vote. New Observer. October 15, 
2004. By Jessica Rocha, Staff Writer. 
http;//newsobserver.com/news/story/1^0333p- 
7996316c.html 

[27] Aug. 6 ballot problems alleged: Clay, Barton county 
candidates seek review of races. Lawrence Journal- 
World. August 22, 2002. AP. http://www.ljworld.com/ 
section/ election02/ story / 103526 

[28] Technician's Error, Not Machines, To Blame In Dade 
Election Mix-Up. The Miami Herald. April 4, 2002. By 
Oscar Corral. 


www.VotersUnite.Org/info/mapVoteSwitch.pdf 



12 



!ycitizen.com/artides/2X)6/06/13/news/top_s 




13 



'.votersunite-org/artide.iisp?k 




14 




15 



)rge Jare< 




16 



)ng Time for an E-Vote Glitch. Wired News. August 12, 2004. By KimZetter. http:// www.wired.com/news/evote/ 0,2645, 64569,00.html?tw=wn_tophea( 




17 



archives: http;//www.mianii.com^ 




18 



http; // www.mercurynews.com/ mid/ mercuiy news/ news/sj 




19 





20 



http:/ / www.votetnislusa.org/ index. php?option=com_content&t2Bk=view&3d=1378&Iteiiiid=51 




21 



0/1146754492135040.X1 




22 



29 Omaha World-Herald, 6 November 2002; "A late ni^t in Sarpy; glitches delay results". Referenced in Black Box Voting, 




23 



http:// WWW .journalstarxom/articles/2004/ll/14/election/doc4189b9c7{14bf76439i4^.txt 




24 



ion systems firm to pay for county election problems." Referenced in Black Box Voting, by Bev Harris. Chapter 2. 




25 



35 "Winners' may be losers." 




26 



' WWW .votersunite.org/ articie^p?id=^23 




27 



lot problems mark 1st day of early voting. Star-Telegram. MayZ2fX)6. By Neil Strassman. http://www.dfw.com/mld/dfw/news/locai/14479735,htm 





28 



http://www.Iubbockonline,com/stories/031104/loc_0311( 




29 



results” 




30 





31 



55 Kanawha's dry run of voting machines remains mcomplete Charleston Gazette. May 03, 2006. Archived at http;// www.votersunite.org/articie.asp7ic 



32 





33 



' www.casperstartribune.net/ articles/2)04/08/21/news/casper/6d2e825b3f9el54187256ef70007adfab,txt 




34 


Responses to; 

Representative Holt’s Additional Questions for Witnesses 
Committee on House Administration Hearing on 
Electronic Voting Machines; Verification, Security, and Paper Trails 
September 28, 2006 


(1) My legislation has 219 cosponsors today, largely due to the lobbying efforts of voters 
and concerned citizens. It is truly an example of democracy in action. 

Could you share with the Committee your experience in working with the League of 
Women voters on this issue - as the League too experienced a “change of heart" also 
almost entirely due to a "democratic uprising” of the Members? 

The League’s early support for paperless Direct Recording Electronic (DRE) machines 
was troublesome for many League members, especially since the vulnerabilities of 
computers to hacking and insider manipulation are widely known. Perhaps even more 
disturbing was that the League’s position was being used as a justification for the 
widespread purchase of paperless DREs. 

How could this have happened? The great respect in which the League is held stems in 
large part from the care that the League traditionally has displayed in understanding and 
analyzing issues. The League studies an issue carefully before taking a position. Once a 
position is taken, the board determines what action, if any, to take as a result. While 
studies increase the time required to reach a position, careful examination combined with 
the consensus process protect the League from errors in judgment that might have serious 
repercussions. 

Regrettably, the League did not conduct any study on electronic voting machines, nor did 
it consult with the membership. The national board decided to support paperless DREs 
based on their interpretation of the League’s broadly written position on voting rights. 

The League leadership appeared to have relied on the advice of a couple of computer 
scientists, including Michael Shamos - who was quoted in several League documents and 
who spoke at the 2004 national League convention. 

As a computer scientist who had been involved with voting issues for several years, I 
attempted to explain the risks of paperless DREs to the League lobbyists. While my 
efforts were unsuccessful, 1 was hardly alone among League members in feeling that the 
League had taken an unwise position. Leaguers from around the country asked the Board 
to discontinue its support of paperless DREs. Individual members wrote to President Kay 
Maxwell. Some Leagues, including the Massachusetts LWV', requested a change in the 
national position. A letter to President Maxwell, expressing concern about “National’s 
stand against individual paper confirmation for each ballot (VVPAT),” was signed by 
924 League members from 35 states. A similar letter was signed by twenty-two local and 
area Leagues from eight states." 


1 



35 


At the 2004 national League convention, the delegates voted overwhelmingly for a new 
resolution calling for “the implementation of voting systems and procedures that are 
Secure, Accurate, Recountable, and Accessible”. This is known as the SARA resolution. 
After the 2004 convention many members were surprised by the LWVUS leeidership’s 
misinterpretation of the SARA Resolution"'. The leadership claimed that SARA did not 
prevent the League from supporting paperless DREs. While the national League no 
longer endorsed paperless DREs, the leadership nonetheless signaled that they still 
approved of these machines, in part by allowing state and local Leagues to continue 
endorsing paperless DREs and by criticizing those Leagues that were advocating for 
voter verified paper ballots and random audits. 

In a discussion of the Voter-Verifiable Paper Trail in Helping America Vote, a League 
document released a few days after the 2004 Convention"', Georgia and Maryland - two 
states using paperless DREs'' - were credited as having best practices. In addition, the 
following sentence appears: 

“However, a paper trail is not the only means available for auditing the voting 
process.” 

Helping America Vote was undoubtedly written prior to the Convention'''. However, our 
expectation that the LWVUS leadership would subsequently embrace all of the SARA 
Resolution was dashed when President Kay Maxwell testified before the Commission on 
Federal Election Reform on April 18, 2005. 

The League of Women Voters believes that voting technologies must be secure, 
accurate, recountable, and accessible. The term “recountable” is not a code word 
for paper trail; indeed, the League’s stand is based on the understanding that 
continued technological innovation is needed. 

No one questions that continued technological innovation is needed. But we ignore at 
our peril the serious vulnerabilities of the voting machines being deployed in our 
elections now. Furthermore, the SARA resolution did not equivocate on the meaning of 
the word “recountable”. 

The notion that “recountable is not a code word for paper” was repeated on other 
occasions by League leadership''". 

I have asked League members and others who claim that paperless DREs can be 
recounted to explain precisely how to conduct such a recount, for example in cases such 
as Carteret County, NC where over 4000 votes were lost on a paperless DRE in the 2004 
election''"'. I have never received a satisfactory answer. Of course one can always print 
out the contents of the computer’s memory and count that. But that is a reprint, not a 
recount. 

In the dramatic 2004 recount for Governor of Washington State, the Secretary of State 
and the political parties implicitly acknowledged the impossibility of a meaningful 


2 



36 


recount of paperless DREs. They all agreed not to print out copies of ballots from 
paperless DREs. Instead, they simply compared earlier results with recomputed ones.”" 

Because of the League leadership’s stance on what “recountable” meant, or did not mean, 
those members who had worked very hard for the passage of the SARA Resolution 
realized that they had more work to do. Since the League holds its national convention 
every two years, the next opportunity to clarify the League’s position did not come until 
June 2006. In order to make sure that there would be no further confusion, a large 
majority at the 2006 convention passed the following resolution: 

Whereas; Some LWVs have had difficulty applying the SARA Resolution (Secure, 
Accurate, Recountable and Accessible) passed at the last Convention, and 
Whereas; Paperless electronic voting systems are not inherently secure, can malfunction, 
and do not provide a recountable audit trail. 

Therefore be it resolved that; 

The position on the Citizens’ Right to Vote be interpreted to affirm that LWVUS 
supports only voting systems that are designed so that: 

1 . they employ a voter- verifiable paper ballot or other paper record, said paper 
being the official record of the voter’s intent; and 

2. the voter can verify, either by eye or with the aid of suitable devices for those 
who have impaired vision, that the paper ballot/record accurately reflects his or her 
intent; and 

3. such verification takes place while the voter is still in the process of voting; and 

4. the paper ballot/record is used for audits and recounts; and 

5. the vote totals can be verified by an independent hand count of the paper 
ballot/record; and 

6. routine audits of the paper ballot/record in randomly selected precincts can be 
conducted in every election, and the results published by the jurisdiction. 

The central theme of the League of Women Voters, and of the suffrage movement on 
which it was founded, is that every citizen should have the right to vote and to have that 
vote accurately counted. The work of the members who brought the two SARA 
resolutions to the League Conventions, combined with the overwhelming approval of 
those resolutions, are in the best tradition of the League. 

Active support by the League for voter verifiable paper ballots combined with mandatory 
random manual audits for all elections will be a major contribution to the increased 
security and accountability of our elections. 

Few things are more important to our democracy. 


(2) Michael Shamos opened his testimony by stating the following - “[t]he proposed bill 
is based on three major assumptions, all of which are false. First, it assumes that paper 
records are more secure than electronic ones, a proposition that has repeatedly been 
shown to be wrong throughout history. Second, it assumes that voting machines without 


3 



37 


voter-verified paper trails are imauditable because they are claimed to be "paperless, " 
which is also false. They are neither paperless nor unauditable. Third, it assumes that 
paper trails actually solve the problems exhibited by DUE machines, which is likewise 
incorrect. ” Do you agree with Mr. Shamos ’ analysis, and if not, why not? 

I do not agree with Mr. Shamos claims, and I do not understand why he continues to 
make these claims in the face of overwhelming evidence to the contrary. 

First, it assumes that paper records are more secure than electronic ones, a proposition 
that has repeatedly been shown to be wrong throughout history. 

Security is an issue with any type of voting records. 

There is much more history with elections using paper records than with electronic 
records. It is well understood how to minimize the security risks in an election using 
paper records by having the transport and the counting of the ballots observed by 
representatives of the major parties. However, there is no satisfactory way for an 
observer of a purely electronic election to satisfy himself or herself that the count was 
done correctly and honestly. 

Mr. Shamos has stated that there has not been a verified instance of election tampering 
using paperless DREs. However, Mr. Shamos is unable to guarantee that no one has ever 
exploited the security holes that have been uncovered by computer security experts like 
Felten, Hursti, and Rubin. Mr. Shamos cannot make that guarantee because no one can. 

It is not possible, given the way we run elections, to verify that an election held on 
paperless DREs has not been subverted by malicious code. 

The report from Cuyahuga County*, cited in Mr Shamos’ testimony, reveals problems 
with both the electronic and the paper ballots. There were massive failures of every sort, 
including touchscreens freezing, voter access cards sticking, DRE legs breaking, and 
other unfamiliar and unexpected events*'. Many of these failures can be attributed to the 
really poor engineering of the DRE and the sloppy retrofits that were made for the 
VVPAT, as well as inadequate training, policies, and procedures. 

But perhaps the most significant findings of the Cuyahoga County report were the 
problems associated with the memory cards that contain the vote records. For example, 
twelve memory cards were lost*" and four memory cards were found in DREs several 
weeks after the election*"'. Consequently, some of the reports findings are:*'*' 

Information on DRE memory cards can be automatically deleted. 

The memory cards used for electronic voting in Cuyahoga County have a 
potential for tampering, excessive expense, and chain of custody concerns. 

[emphasis in original] 


4 



38 


The report also makes clear that the VVPAT used in Cuyahoga County was poorly 
engineered and had poor usability and human factors.’" Furthermore, because poll 
workers were inadequately trained and the public insufficiently informed, “Some voters 
were unaware that they could lift the blue covering of the printer to observe the print out 
and verify their vote”’*'''. Many of the paper jams would undoubtedly have been spotted a 
lot earlier had the opaque cover been opened, instead of left closed. 

Consequently, the lessons from Cuyahoga County do not support Mr. Shamos’ claim. 
There were severe problems with both the memory cards and the VVPAT. Furthermore, 
the VVPAT implementation was far from the state-of-the-art in paper ballot systems. 

Second, it assumes that voting machines without voter-verified paper trails are 
unauditable because they are claimed to be “paperless, " which is also false. 

No practical alternative means of auditing an election has been proposed. Any alternative 
auditing method would have to have the utmost confidence of the general public. There 
is no reason for people to trust the numbers printed out by a DRE at the end of the 
Election Day, as Professor Felten has demonstrated. 

Mr. Shamos stated in his written testimony’''"': 

Numerous effective verification methods are known that are not based on 
vulnerable paper records. These have not yet been implemented in viable 
commercial systems. I understand that scientists at NIST will soon announce 
another one. 

The only reference to any specific proposal provided by Mr. Shamos was to a new 
scheme by Prof Ronald Rivest of MIT. Since this scheme is paper based, it is not a 
paperless method of auditing. 

In his oral testimony Mr. Shamos also suggested an approach involving two screens and a 
video camera in his oral testimony. In addition to being totally impractical, the video 
camera approach raises major problems involving privacy and the difficulty of 
conducting an audit or a recount. 

Third, it assumes that paper trails actually solve the problems exhibited by DRE 
machines, which is likewise incorrect. 

This claim appears to be based on recent experiences with DREs that have been 
retrofitted with poorly engineered VVPATs. Mr. Shamos seems to have overlooked the 
existence of optical scan based systems that produce easily audited Voter Verified Paper 
Ballots. 

The best voting system currently available for voters without vision or mobility problems 
is the precinct based optical scan system. Proponents of DREs argue that optical scan 
systems are not accessible. As I discussed in my testimony, there are devices, such as the 


5 



39 


Vote-PAD, that allow blind, and even blind-deaf voters (who cannot vote unassisted on 
DREs), to vote independently on optical scan ballots and to verify those ballots. 

The AutoMARK and the Populex electronic voting system also produce accessible Voter 
Verified Paper Ballots that can be tabulated by an optical scanner. Because neither 
system records or counts votes internally, they are not subject to the kind of vote rigging 
that has been demonstrated for DREs. However, for all of these systems it is crucial that 
a random manual audit be conducted in all elections as a check on the accuracy of optical 
scanners. 

Some of the retrofits done to paperless DREs by adding continuous roll thermal printed 
paper are poorly engineered. However, these retrofits are far superior to paperless DREs, 
At least with the retrofitted machines there is a chance that an effective audit or recount 
might be conducted. There is no technical reason why DREs with VVPATs that use 
reliable printer technology combined with good usability could not be produced. 


(3) In your testimony you described a report by Kelly Pierce, a nationally-known 
advocate for the blind and visually impaired, who had reviewed four voting machines in 
March, 2005 for the Cook County Ohio State's Attorney’s Office. In his report, entitled. 
Accessibility Analysis of Four Proposed Voting Machines, you indicated that Mr. Pierce 
"analyzed tactually discernable controls, spoken prompts, visual display, poll worker 
assistance, volume control and normalization, and ballot review" and "found all four 
machines deficient in one or another of these areas. . . " You quoted Mr. Pierce as saying 
"fujnfortunately, " if any one of the four machines were to be deployed in Chicago or 
suburban Cook County as exhibited on March 15, many voters with disabilities, 
particularly blind voters, would not be able to cast a ballot independently and privately". 
Mr. Dickson took exception to your testimony on this subject, suggesting that all of the 
problems pointed out in the Pierce study had since been corrected. Do you agree, and if 
not, why not? 

No one, including Mr. Dickson, is claiming that all of the accessibility problems 
identified in Mr. Pierce’s report have been eliminated from new models of all DREs, let 
alone from the installed base of voting machines already in the field. Indeed, a serious 
question that is not being addressed is just who would pay for upgrades to repair 
machines that are defective from both a security and an accessibility standpoint. The 
situation in Cook County is atypical, because Cook County has a population rad 
purchasing power greater than some states. As the Chicago Tribune noted,”"' Chicago 
and Cook County are “. . . Sequoia’s biggest piece of business in the nation.” Most 
counties do not find the manufacturers, even Sequoia, as cooperative as Mr. Pierce has 
found Sequoia to be with his county. 

Mr. Pierce’s report, while a highly worthwhile and useful document, was written 
primarily from the perspective of a totally blind voter. It does not, for example, deal 
much with issues such as lack of voter adjustable controls for color, contrast, and 
magnification, nor with physical access to the machines for voters who use wheelchairs. 


6 



40 


It discusses neither 2-switch input controls nor issues for voters who are deaf/blind for 
whom DREs are totally inaccessible, Mr. Pierce’s report is generally silent on 
accessibility issues for voters who have learning or cognitive disabilities. 

Additional problems with the Sequoia machines used for the March 21, 2006 primaries 
were uncovered in a report released in April 2006 by the Illinois Ballot Integrity 
Project.*” On page 1 5 of the Ballot Integrity Project report presented to the Cook 
County Board of Commissioners, we find: 

For example, the SBOE [State Board of Elections] staff tested the audio interface, 
but apparently no testing was done with any other assistive devices for which the 
AVC Edge might be equipped, such as sip-puff. While the sip-puff feature which 
allows access for severely physically disabled voters has been made available in 
other jurisdictions, it was not tested in Illinois, nor were the AVC Edge DREs used 
in Chicago and Cook County during Early Voting and on March 21, 2006, so 
equipped. 

The report continues with the following on page 16: 

One final consideration with respect to Section 301(a)(3) compliance requires 
mentioning and that is accessibility for those voters who require wheelchairs. 
Although the AVC Edge design incorporates a “wide-leg” design, almost all voters 
using wheelchairs are unable to reach the top displays on the touchscreen. While 
theoretically, one might consider using the keypad provided for non-sighted voters, 
this option is precluded because once the keypad is connected, the screen goes 
blank. Therefore, those sighted voters using wheelchairs would be forced to use the 
audio-prompt system which requires a substantially greater amount of time and 
would be both inconvenient and confusing. 

We have provided a significant commentary on the Section 301(a) compliance 
features of the AVC Edge because it’s this aspect that provides voting machine 
manufacturers and election officials with the strongest rationale for selling and 
purchasing these machines. Approximately $21 million are to be spent by the City 
and County for the purchase of DRE equipment. We must ask, was that equipment 
properly tested and certified by the State Board of Elections for the primary 
purpose for which it was intended? The absence of such testing and the SBOE (or 
the City or County) failing to require sip-puff features suggest that it was not. One 
might even speculate that actual compliance was less on the mind of the Illinois 
State Board of Elections than placing responsibility for compliance elsewhere: 

“I want somebody to say today they’re taking that responsibility [for disabled 
accessibility] and that it’s not ours, because I don’t want us being liable and that 
[disabled] community, you know, blaming us for allowing this to be out there. 
And you know, as I said. I’m just wanting to protect this Board from some things 
that we can’t necessarily control that you [Sequoia] will be.”** 


7 



41 


Later on page 16 there is the following; 

Despite two out of five DREs experiencing paper jams, significant shortcomings in 
the audio-assist component raised by both the disabled community and its own 
Director of Voting Systems Standards, having had no reference to the ITA report, 
non-compliance with Section 301(a)(3) and questions about compliance with 
Section 24C-2 of the Illinois Election Code, the Board granted interim certification 
to the “Sequoia AVC Edge Product” by unanimous vote. Due diligence or rush to 
judgment? 

Possibly even more relevant to our discussion, neither the Pierce report nor his recent 
letter, dated October 4, 2006 (see below), addresses the issue of accessible voter verified 
paper audit trails, an issue that is of concern to many voters with disabilities. In addition 
to Natalie Wormeli’s eloquent testimony included in my written statement, see for 
example: 

- A Verifiable, Accessible Vote, October 1 1, 2004 letter to the New York Times 
from Barbara Silverstone, Chief Executive, Lighthouse International”' 

- Touch Screens are not the best Choice for Disabled Voters, by A. J. Devies, 
President, Handicapped Adults of Volusia County”" 

- The list of at least seven organizations representing New York State voters with 
disabilities™" who signed The New York State Citizen’s Coalition on HAVA 
Implementation. A key point of the Coalitions platform is the following: New 
voting machines should provide a "voter-verifiable paper audit trail ” and 
incorporate "data-to-voice ” technology to ensure full access by a//.™’’ 

Mr. Pierce analyzed four voting machines in his initial report dated March 23, 2005: the 
iVotronic from Election Systems and Software, the AVC Edge II from Sequoia Voting 
Systems, the eSlate from Hart InterCivic, and the AccuVote TS from Global Diebold. I 
referenced this report in both my written and oral testimony. In his oral comment, Mr. 
Dickson said: 

The rest of the story is that after those initial texts the company [emphasis added] 
was able to inexpensively and quickly make changes to the access procedures so 
that the problems were eliminated.”’' 

It remains unclear to me as to why Mr. Dickson rose to the defense of one voting 
machine vendor in these Congressional hearings, when I clearly had just referenced a 
report that surveyed four voting machine vendors. He did not name the vendor to which 
he was referring, nor did he say why he defended one vendor from among the four that 
were cited. His comment gave the appearance, however, of suggesting that the problems 
of all of the vendors had been fixed. 


While Mr. Dickson chose not to address the accessibility of all four of the voting systems 
analyzed in the Pierce report, voting machine access problems have hardly been 
eliminated, as I discuss below. 



42 


It was only after the hearing that I learned that Mr. Pierce, in response to my testimony, 
was preparing his October 4, 2006 update letter.^" However, the letter, included with 
this response, appears to update a report he wrote for the Cook County State’s Attorney’s 
Office dated June 30, 2005, entitled Evaluation of Audio Interface Sequoia Voting 
Systems A VC Edge. It is not an update to Mr. Pierce’s earlier March 23, 2005 report, 
referenced in my testimony. 

In his letter, Mr. Pierce does not mention the four voting machines he analyzed in 2005. 
Instead, he refers only to the Sequoia Edge II Plus voting system that is scheduled to 
replace the Sequoia AVC Edge II, used in the March primary, for the November 2006 
election in Cook County. While Mr. Pierce’s comments appear to suggest that the Edge 
II problems have also been fixed, it does not appear that Sequoia changed its access 
procedures for the Edge II. They did, however, make changes to the scripts of the 
messages. 

The Sequoia Edge II Plus does not represent simply a minor change in the features and 
software of the Edge II. Rather, it is based on the Smartmatic voting system used in 
Venezuela. Smartmatic International, a Venezuela based company, is the parent 
company of Sequoia Voting Systems’'*''". 

Like Mr. Dickson, Mr. Pierce’s update letter makes no reference to the other three flawed 
voting systems. In the interest of furthering improvement to the accessibility of voting 
systems for people with disabilities, we first discuss the four voting machines analyzed in 
Pierce’s original report. 

According to Noel Runyan, the blind computer scientist and accessibility engineer quoted 
by Mr. Pierce in his original report, the following accessibility problems, originally 
identified by Mr. Pierce, do not appear to have been fixed on currently shipping 
systems**''"'. All italicized text describing unfixed problems in the four voting machines 
are direct quotes from Accessibility Analysis of Four Proposed Voting Machines, by 
Kelly Pierce, Cook County State’s Attorney’s Office, March 23, 2005. 

Accuvote TS from Diebold: 

- The selection of access options must be done for the voter by a poll worker. 

- The keypad cannot be operated with a closed fist. 

- There still is no prompting of end users asking them if they want the screen turned 
off or giving them a control to do so independently. 

Edge II from Sequoia: 

- The machine does not have simultaneous audio and visual output. 

- The keypad does not permit operation with one hand or closed fist. 

- The language selection menu still has requirement for pressing Select twice to 
exit. 

- There still is the time-out bug that pops you back into the language menu. 

- The audio ballot review is still a non-pausable long drink from a fire hose. 

The voting machine from Sequoia functioned poorly at ballot review. 


9 



43 


The opening of contests and single and double button pushes adds to the 
complexity of the machine. 

After pressing a button, the Sequoia machine immediately advanced to the next 
contest with no information about what one exactly voted for and the ability to 
change one 's vote in the event of error. 

eSlate from Hart: 

- The keys are still not tactilly discemable. 

- The navigation wheel is still too small, requiring fine motor control that is hard or 
impossible to do with a closed fist, mouth stick, etc. 

- The machine does not have built-in volume control and does not reset to normal 
value for each new voter. 

The only machine showing dijficulty producing adequate volume was the eSlate 
by Hart InterCivic. 

The Hart InterCivic machine had more systemic issues with missing scripts, 
omitted information about the location of controls and a lack of prompting after a 
voter had voted in a contest so the voter knew what to do next to advance to the 
next race. 

Unfortunately, when end users change their votes in ballot review, they are left in 
the original voting screen and need to scroll all the way to the bottom of the ballot 
to exit. 

iVotronic from ES&S: 

- The machine does not have simultaneous audio and visual output. 

- The machine does not have built-in volume control and does not reset to normal 
value for each new voter. 

- The selection of the audio output feature must be done for the voter by poll 
worker. 

- There is no audio rate control. 

- By contrast, the IVotronic from ES&S would likely need much more script 
revision to ensure full understanding and clarity of the interface. In addition, new 
audio prompts would need to be added to help users of the audio ballot take the 
next step in progressing through the ballot. 

- For example, after the end user has cast a vote in a particular contest, the system 
confirms the vote but it fails to instruct the end user as how to use the machine to 
advance to the next contest and cast a vote in that contest. 

Many of the problems cited in Pierce’s original report remain in the Edge II Plus system 
discussed in his update letter. Again, quoting from Noel Runyan about the Sequoia Edge 
II Plus system™’^: 

- There is no simultaneous audio/video on the current Edge II and none on the Edge 
II Plus planned for use in this November 2006 election. 

- The 2-switch feature, while better than none, is a Band-Aid on a Band-Aid. For 
the Edge II, it does not include any change in the orientation and help messages to 
aid in the proper use of the 2-switch controls. The Edge II also currently requires 


10 



44 


that 2-switch users and other keypad users get their output in audio, without any 
video display, as if they were also blind. 

- The new V5 keypad for Edge II systems does not support one-handed use and 
both it and the newer keypad that is supposed to be available on the Edge II Plus 
systems are still not operable with a closed fist. 

The Edge II on which Mr. Runyan voted in the California June primary contained the 
newer software for the Edge II system. Nonetheless, Mr. Runyan still encountered major 
problems. Workers had great difficulty in setting up the Sequoia Edge II machines in 
proper audio mode. Bugs, such as the time-out bounce back to the language menu, also 
remained unfixed. 

At this point it is nearly impossible to know just which accessibility problems on the 
Sequoia Edge II have been fixed in the Edge II Plus and how effective those fixes may 
be, because - unfortunately - neither the specifications for the Edge II Plus nor the results 
of usability and accessibility tests are publicly available. However, experience has shown 
that it is unwise to accept vendors’ fixes and promises until the results can be 
demonstrated in real, certified, delivered machines. It appears that proper access 
usability testing has not been done on the Edge Two Plus systems in Illinois or elsewhere. 

Regarding the cost of upgrading existing machines, Mr. Runyan makes the following 
observations’'*’': 

Another relevant issue is the cost of upgrading existing voting systems to take 
advantage of any of these changes - where possible. Some activists have been 
saying that we should go ahead and rush into buying the current DRE machines, 
despite their known security and access flaws, and then we can count on them being 
fixed or improved in the future. Even if the major problems could ever be solved, 
what will be the price and who will pay it? Certainly, not the Manufacturers. 

According to our local ROV office. Sequoia normally asks roughly $250 each to 
upgrade Edge II systems to the V5 keypads that have rate control keys and a jack 
for 2-switch input controls. 

According to reports in January, the state of New Mexico was about to pay around 
$16 million to upgrade their mostly Sequoia Advantage voting systems to Sequoia 
systems that could have VVPAT paper trails. Additionally, the NM Secretary of 
State was going to do in December 2005, as some activists would have us do - buy 
more of the same flawed and obsolete systems ($5 million more for NM). 

As a blind voter, I am impatient with the slow pace of adoption of secure and 
accessible voting systems. However, I feel strongly that it is extremely 
irresponsible for counties to rush into buying more flawed voting systems. To be 
specific about the VVPAT issue, I believe that, given the current voting systems 
designs, no new voting systems should be purchased unless they have accessible 
voter verifiable and auditable paper record capability such as is already available 


11 



45 


with at least one of the ballot marking systems. 

I also feel that the best way to solve the accessibility, usability, and security 
problems is to stop piling band aids on the old, obsolete DRE systems and 
introduce completely new voting systems whose designs included security and 
accessibility/usability considerations from the beginning of their conception. To 
meet the flexible accommodation requirements for usability and accessibility by a 
diverse population of voters, the current and future systems will need to employ 
modular systems and/or blends of various voting machines. 


(4) Since 1990 (and as set forth in the current EAC Voluntary Voting System Guidelines), 
federal voting machine standards have specified a mean time between failures (MTBF) of 
163 hours. This corresponds to a nearly 10% probability of machine failure on Election 
Day. Current machines appear to perform no better than the standards require. Modern 
technology is fully capable of MTBF's in the range of 15000 hours. What are your 
thoughts on the impact this reliability standard is having on the accuracy of our election 
process? 

It is easy to see how unconscionably weak the voting system MTBF standard is by 
comparing it with the MTBF for devices in common use today. For example, according 
to a study by Compaq Corp, a thin client PC, which in many ways resembles a DRE, 
typically has a MTBF of up to 170,000 hours*’'”', as opposed to 163 hours. Nonetheless, 
the 163-hour MTBF standard was included in both the 2002 Voting System 
Standards/Guidelines*’'*" and the recent 2005 Voluntary Voting System Guidelines’'’'’"". 

Another disturbing aspect of the current MTBF standard is that “failure” can mean just 
about anything, including problems that are obvious to the voter, e.g. screen failure, and 
those that are hidden from the voter, e.g. failure to accurately record an individual’s vote. 
For example, 4,438 votes were irretrievably lost in early voting on paperless DREs in 
Carteret County, North Carolina in 2004. After recording about 3000 votes, the machine 
simply stopped recording votes’'**"'. 

High DRE failure rates combined with the lack of back-up paper ballots will 
disenfranchise voters, since most people are unable to spend hours waiting in line in 
order to cast their votes. 

Because voters dependent on DREs are more likely to be unable to vote than voters using 
optical scan or ballot marking voting systems, the use of unreliable DREs with no paper 
ballot voting options is an Equal Protection issue***''. 

DRE failures also impact disabled voters disproportionately by making it not possible for 
those voters to vote privately or independently. 

The impact of deploying unreliable voting machines that have no paper trait can be 
severe. For instance, according to the Montgomery County (Maryland) Board of 


12 



46 


Elections in a report entitled, 2004 Presidential General Election Review, Lessons 
Learned^”: 

From Help Desk tickets and [Diebold] GEMS reports, 189 voting units (7%) of 
units deployed failed on Election Day. An additional 122 voting units (or 5%) were 
suspect based on number of votes captured. 

As a result of the large number of failures, additional tests were conducted on failed 
voting units. One of the unfortunate Lessons Learned by Montgomery County was that 
in future elections they would need even more voting machines than they had anticipated. 

At noon today (Dec. 13, 2004), 148 voting units have been tested; of these, 35 
have failed. Failed voting units will be returned to Diebold for further testing and 
repair or replacement. BOE has requested that Diebold formulate and provide us 
with a testing methodology and capture all results and subsequent repairs. 
Recommend: For future elections, deploy more voting units on Election Day, 
beyond the allotted one unit for every 200 voters to offset the higher than expected 
failure rate. [Emphasis added] 

The requirement that machines have redundant memories gives no protection if the 
failure is some kind of "common mode" failure that affects both memories. In that case, 
the lost votes would be irretrievable. An example of a common mode failure is an 
electrostatic discharge (ESD) into the electronics that feeds data to the memories™''". In 
spite of the fact that touch screen technology is highly vulnerable to ESD, the machines 
are tested to less than half the voltage that can be expected in a carpeted polling place on 
a day with relative humidity under 25%. In addition, the practice of removing memories 
at poll closing for vote tabulation is dangerous. The IEEE PI 583 draft voting machine 
standards that was provided to the NIST/EAC process had an added provision requiring 
additional testing if devices are removed during poll closing. Unfortunately, that 
provision never made it to the VVSG. ESD is highly dependent on relative humidity, if 
the people accessing the electronics are properly grounded (such as if they are wearing 
grounding straps - advised in manuals for most electronic equipment and mandatory for 
access to the internals of military electronics) and the materials in clothing, chair 
coverings, and floor coverings™''"'. 

As Michael Shamos is quoted as saying in a December 2005 article™”*, we should be in 
an uproar about the failure rate of DREs: 

“I have good reason to believe that 10 percent of systems are failing on Election 
Day. That’s an unbelievable number,” Shamos told an assemblage of voting- 
system makers, elections officials and scientists. “Why are we not in an uproar 
about the failure of (touch-screen voting) systems?” 


13 



47 


This is the letter sent by Kelly Pierce that is referenced in my response to question 3. 



OFFICE OF THE STATE'S ATTORNEY 

Cook County. Illinois 


RICHARD A. DEVINE 

Public 

Interest Bureau 


STATE’S ATTORNEY 

69 W. 

Washington - Suite 930 


Chicago. !L 60602 



312-603- 


To: Interested Persons 

From: Kelly Pierce, Disability Specialist 

Date: October 4, 2006 

I have become aware of widespread citation of my March 2005 accessibility review of four voting 
machines that were being considered for purchase by Cook County and the City of Chicago Board of 
Election Commissioners. Since this report was written, meaningful and substantial accessibility 
improvements have occurred. Following the public demonstration of the four voting machines on March 
15, 2005, Cook County Clerk David Orr announced on May 26, 2005 that he had chosen Sequoia Voting 
Systems as the new election system for suburban Cook County. The next week, the Chicago Board of 
Elections followed with a similar announcement. The first electronic voting machine to be used would be 
the AVC Edge. On June 13, 2005, Sequoia Voting Systems then President and CEO Tracey Graham met 
with disability leaders and the Cook County Clerk and described the company’s substantial commitment to 
improving the accessibility of the AVC Edge. An audio recording of a voting experience was produced 
that day following this meeting. The recording and end user experiences with the Sequoia AVC Edge were 
used to produce a June 30, 2005 report on the audio interface of the machine. Since completion of the 
report, Sequoia representatives spent more than 100 hours in enhancing and in^roving the audio script 
used by the AVC Edge, states a December 2005 memorandum by Sequoia President Jack Blaine. More 
than 20 hours were spent with city and county officials and leaders from the disability community 
reviewing the effectiveness of each audio prompt on the machine. Further, Sequoia redesigned its control 
box for the audio interface. The new control unit included easy to locate volume control buttons and a 
switch that increased or decreased the rate of speech in the audio recording. The new control unit also 
enabled those who could not use their hands to vote to plug in a sip and puff device so the ballot could be 
voted completely from someone’s assistive technology. 

Additionally, Sequoia committed to numerous other changes for the November 2006 election. In 
September 2006, Sequoia representatives met with the Cook County Clerk, the Executive Director of the 
Chicago Board of Election Commissioners and leaders in the disability community to demonstrate the new 
and enhanced accessibility features of the Sequoia Edge II Plus voting machine, which will be used in the 
November 2006 election. The Sequoia Edge II Plus replaces the AVC Edge used in the March primary 
election. The audio interface now includes navigational pron^ts on the contest menu and an interactive 
ballot review mode so blind and disabled votere can exit the review mode at a particular contest and change 
their selection as sighted voters can. The now accessible ballot review will largely resolve the problems 


14 



48 


that were described in my report by a Santa Clara County, California blind voter. The experiences of this 
voter, which were quoted in the report, were shared recently in testimony before a congressional 
committee. The company may refine the accessibility of its ballot review, further increasing the 
accessibility and usability of this newly accessible function. The re-designed touch screen on the Edge 11 
Plus has legs that can be adjusted to different levels for various wheelchair heights. For the first time, 
people who have low vision will be able to view the ballot using a zoom function which magnifies the type 
up to 400 percent its normal size as well as view the ballot at a high color contrast. Sequoia has re- 
designed its audio control unit yet again. The buttons are concave and recessed so those with head or 
mouth sticks and pointing devices can operate the machine independently. There are now also separate 
large plug-in “buddy buttons” for people with limited dexterity to use. More substantial enhancements to 
the accessibility of the Sequoia Edge II Plus are planned in time for the municipal elections in spring 2007. 

At that time, most, if not all, of the accessibility problems identified in March 2006 will be dramatically 
reduced if not eliminated altogether. The flexible nature of information technology as deployed as 
electronic voting machines made the accessibility changes and enhancements possible. As has been stated 
in multiple reports by the National Council on Disability, a federal agency, when representatives of 
industry, government, and the disability community work together cooperatively as partners in using 
technology to solve accessibility problems, the inconceivable becomes possible enabling a new level of 
independence never before achieved. 


' Letter to President Kay Maxwell from Madhu J. Sridhar, President, Massachusetts 
LWV, dated March 25, 2004. 

" Both letters and the list of signers can be found at http://www.leagueissues.org. 

So far as I know, the LWVUS never posted the SARA resolution on the publicly 
accessible portion of the website. I also have been unable to find it on the member only 
portion, but my guess is that it’s buried somewhere on the website. 

Helping America Vote, written by Tracy Warren in collaboration with Lloyd Leonard, 
Jeanette Senecal, and Kelly Ceballos, 2004. 

'' They both use Diebold TS paperless DREs, the machine that Prof. Ed Felten has 
demonstrated to be highly vulnerable to election fraud. 

^ But the leadership knew that a voting machine resolution was going to be introduced 
and might pass. 

For example, on page 12 of the October 2004 issue of The National Voter (the 
publication sent to all LWV members), the SARA resolution is followed by the following 
sentence. “Since these criteria are not code words for any particular voting technology, 
the League neither supports nor opposes any type of technology per se, such as Direct 
Recording Electronic Voting Machines (DREs), Voter Verified Paper Trails (VVPTs) or 
optical scan”. 

Making Votes Count: One Last Election Result, New York Times editorial, January 
18,2004, 

http://www,nytimes.com/2005/01/18/opinion/18tuesl.html?ex=1107100499&ei=l&en=c 

af5841999b0d8ca 

Safeguards Built into Hand Count. Official Says, by Jim Haley, the Herald, Everett 
WA, December 14, 2004, 

http://www.heraldnet.comystories/04/12/14/1001oc_recount001.cfm. 


15 



49 


* Final Report, Cuyahoga Election Review Panel, Cuyahoga County, OH, July 20, 2006, 
http://bocc.cuyahogacounty.us/GSC/pdf/elections/CERP_Final_Report_20060720,pdf 
Ibid, page 102. 

"“ibid, page 139, 

Ibid, page 46. 

"" Ibid, page 46. 

Ibid, page 50-51. 

""Ibid, page 217. 

Testimony by Mr. Michael I. Shamos before the Committee on House Administration, 
September 28, 2006. 

http://www.chicagotribune.com/news/nationworld/chi- 
06021 10098febl 1. 1 ,6644357.storv or 

http ://www. votetrustusa.org/index.php?option=com_content&task=view&id=9 1 3&Itemi 
d=298 

The Primary Election of March 21, 2006 Analysis and Recommendations, April 27, 
2006, http://www.ballot-integrity,net/docs/Cook_County_Board_v6_4-26-2006.pdf 
"" This quote is footnoted in the original document as follows: Chairman Jesse R. Smart, 
EBOE, September 19, 2005 - Meeting transcript, page 18. 

A Verifiable, Accessible Vote, by Barbara Silverstone, New York Times, June 14, 

2004, 

http://query.nytimes.com/gst/fullpage.html?res=9A0DE0DE1230F937A25755C0A9629 

C8B63&n=Top%252fReference%252frimes%20Topics%252fSubjects%252fE%252fEl 

ections 

August 1, 2006, 

http://www.votetrustusa.org/index.php?option=com content&task=view&id=1595&Item 
id=804 . Also see My Rationale for Filing an ADA Complaint against the State of 
Florida, by A. J. Davies, April 4, 2006, 

http://'www.votetrustusa.org/index.phD?option=com content&task=view&id=l 159&Item 
id=26 

American Council of the Blind of New York, Inc.; Center for Independence of the 
Disabled in New York (CIDNY); Disabilities Network of NYC; New York State Young 
Democrats Disability Issues Caucus; Queens Independent Living Center; Westchester 
Council of the Blind; Westchester Disabled on the Move, Inc. For the full list of 
endorsements, see http://www.nvpirg.org/goodgov/hava/machines/endorsers.html 
""" For the full statement, see 

http://www.nvpirg.org/goodgov/hava/machines/default.html 
""" From the oral testimony of Jim Dickson before the Committee on House 
Administration’s hearing entitled, “Electronic Voting Machines: Verification, Security, 
and Paper Trails,” September 28, 2006, 

""" Letter from Kelly Pierce to Interested Persons, dated October 4, 2006. In that letter 
Pierce references my testimony in which I quote blind computer scientist Noel Runyan as 
follows: The experiences of this voter, which were quoted in the report, were shared 
recently in testimony before a congressional committee. 

xxvii 2005 Smartmatic acquired Sequoia Voting Systems, a well-known leader among 
suppliers of electronic voting systems in the U.S, market”. Quote taken from About 


16 




50 


Smartmatic, http://www.smartmatic.com/news 070 2005-10.htm . See also California: 
Sequoia Quietly Leading State E-voting, by Ian Hoffinan, originally published in Inside 
Bay Area, available at 

http : //WWW .votetrustusa.org/index .php?option=com_content&task=view&id=l 4 1 1 &Item 
id=51 

xxvi" pg,.gQj,aj correspondence with Noel Runyan, October 3, 2006. 

XXIX pgygQjjaj correspondence with Noel Runyan, October 4, 2006. 

’“^'Ibid. 

Network administrators can save time and money by letting servers carry the load, by 
J. B. Miles, Government Computer News, October 2, 2000, 
http://www.gcn.eom/print/voll9_no29/3040-l.htmt. 

http://www.eac.gov/election_resources/vss.htmt 
xxxiii MTBF demonstrated during certification testing shall be at least 163 hours”, 
http://vote.nist.gOv/VVSG2005Ptl.htm. 

XXXIV 

http://www.nytimes.eom/2005/01/l 8/opinion/l Stuesl .html?ex=l 1 07 1 00499&ei=l &en=c 
af5841999b0d8ca 

For more discussion of equal protection and related issue, see DRE Reliability: 
Failure by Design?, by Howard Stanislevic, March 13, 2006, 
http://www.votetrustusa.org/pdfs/DRE Reliabilitv.pdf . 

http://truevotemd.org/Resources/Lessons_Leamed.pdf 
xxxvii ggp discussion is based on private communication from Stanley A. Klein, 
October 6, 2006. 

xxxviM fufiddffigntals of Electrostatic Discharge, ESD Association, Rome, NY, 2001, 
Table 2, page 5. 

xxxix ijfiggftainty Clouds Future of e-voting Tests, by Ian Hoffrnan, Oakland Tribune, 
December 1, 2005, available at http://www.votersunite.org/article.asp?id=6414. 


17 



Forsyth County Elections and Voter Registration 

no E. Mciin St. 

Cumming, Georgia 30040 
Tel - 770-781-2118 



Date; October 26, 2006 

To: Committee on House Administration 

From: Gary J. Smith 

Director of Elections 

Reference: 2006 Hearing on Electronic Voting Machines: 
Verification, Security, and Paper Trails 

I have enclosed the following: 

• My transcript with no changes 

• Answers to Representative Holt’s questions 


52 


Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


Committee on House Administration Hearing on electronic Voting Machines: 
Verification. Security, and paper Trails 
September 28. 2006 

Response from Gary Smith to Representative Holt’s Additional Questions ^ 
10/25/06 


Description of security procedures for Forsyth County Elections. Receipt, 
Maintenance, and Storage. 

(a) Acceptance tests. Upon the receipt of each new direct recording electronic voting unit 
(DRE), I am responsible to ensure that an acceptance test is performed on the device in 
accordance with standards issued by the Secretary of State. No DRE unit shall be 
accepted by our county or placed into service until such time as the unit satisfactorily 
passes the prescribed acceptance tests, 
fbt Storage of DRE units . 

1 . We maintain our DRE units in accordance with the requirements of this rule, the 
directives of the Secretary of State, and the specifications and requirements of the 
manufacturer (Diebold). 

2. The DRE units are stored in a climate controlled space in which the temperature 
and humidity levels are maintained at acceptable levels year-round which shall not be 
lower than 5 degrees Celsius (41 degrees Fahrenheit) nor higher than 40 degrees Celsius 
(104 degrees Fahrenheit) and not lower than 35 percent relative humidity and not higher 
than 85 percent relative humidity such that no condensation forms on such units. The 
units are not stored in an area in which liquids or fluids stand, pool, or accumulate at 
any time or in areas that are subject to such standing, pooling, or accumulating liquids or 
fluids. The space in which the units are stored is secured by multiple security devices and 
is accessible only to persons authorized by myself to have access to such units or 

such space. The DRE units are kept on a rack system that has been constructed for the 
storage of the units. The batteries in each unit are charged at least quarterly in accordance 
with the manufacturer's specifications. 

3. The storage areas for DRE units is equipped with the following forms of electronic 
surveillance and protection; keypads and electronic locks, motion 

detectors, video surveillance, and a security system that is connected to an outside 
monitoring source, in our case the police department and fire department. 

4. We maintain numbered seals on all DRE units in storage and all seal numbers shall be 
recorded and on file in our office. 

5. Upon delivery to a polling place in preparation for a primary, election, or runoff, the 
DRE units are secured and protected from unauthorized access by storing the DRE 
units in a locked and secure room at the polling place, having the person taking 
possession of the units personally supervise the units at all times prior to the opening of 
the polls. 

6. Software security . The software contained in each DRE unit, regardless of whether 
the unit is owned by the county or the state, and the software used to program the unit 
and to tabulate and consolidate election results has not been modified, upgraded, or 
changed in any way without the specific approval of the Secretary of State. No other 
software is loaded onto or maintained or iwed on computers on which the GEMS 


1 



53 


Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


software is located except as specifically authorized by the Secretary of State. Dynamic 
encryption keys help to secure our election results and we have the ability to change our 
passwords at each election. Election results are digitally signed to prevent any attempt to 
tamper with the contents of the memory cards. 

(d) Access to GEMS servers . 

1 . The room in which the GEMS server is located is locked at all times when the 
server is not directly under my supervision or my designee. Lock and key access to the 
room where the GEMS server is located is be limited to myself; my election supervisor, 
and emergency personnel. Building maintenance personnel have access to the room in 
which the GEMS server is located only to the extent necessary 

to carry out their maintenance duties and under our supervision. We maintain on file 
at all times in our office a complete and up-to-date list of all maintenance personnel with 
access to the room in which the GEMS server is located. Emergency personnel shall have 
access to the room in which the GEMS server is located only as necessary in the event of 
an emergency and only for the duration of such emergency condition and in this event, 
the computer controlled access monitors all ingress and egress as well as the video 
surveillance cameras. 

2. The GEMS server remains locked at all times when not in use . The key or keys to 
the GEMS server shall remain in the possession of myself and my designee at all times. 

(f) Security of DRE units and accessories . All DRE units, optical scanner devices, voter 
access cards, supervisor cards, memory cards, DRE unit keys, voting system software, 
and encoders are stored under lock and key at all times when not in use. Lock and 

key access to such items are limited to myself; my election supervisor; the personnel of 
my office; building maintenance personnel (under supervision); and emergency 
personnel. Building maintenance personnel have access to the area where such items are 
stored only to the extent necessary to carry out their maintenance duties and under 
supervision of the election staff I maintain on file at all times in my office a complete 
and up-to-date list of all maintenance personnel with access to the area in which such 
items are stored. Emergency personnel have access to the area where such items are 
stored only as necessary in the event of an emergency and only for the duration of such 
emergency condition and under video surveillance and computer coded access. Whenever 
maintenance or emergency persormel are required to enter the storage area, it is required 
that I be notified in advance and maintain a log of those persons who entered 
the storage area. 

(g) Voting system handling requirements . 

1 . All personnel, with the exception of the permanent employees of the Office of the 
Secretary of State and permanent employees of our coimty election staff, who prepare 
voting equipment for use in a primary, election, or runoff complete an oath of custodian 
before each election. One copy of the oath is placed on file in the office of the election 
.superintendent and an additional copy is filed with the records for the election filed with 
the clerk of superior court. The oath of custodian is in the following form: 

STATE OF GEORGIA 
COLFNTY OF __FORSYTH 

OATH OF CUSTODIANS AND DEPUTY CUSTODIANS 
OF DRE UNITS 


2 



54 


Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


I, , do swear (or affirm) that I will as a (deputy) custodian 

of the voting systems for the County Forsyth, faithfully perform all of my duties in 
accordance with state law; that I will prepare in accordance with all applicable rules and 
regulations governing the use of the voting system all DRE units to be used in primaries, 
elections, and runoffs in this county; that I will use my best endeavors to prevent any 
fraud, deceit, or abuse in carrying out my duties while preparing the DRE units for use in 
primaries, elections, and runoffs; and that I am not disqualified by law to hold the 
position of (deputy) custodian. 

Included for reference and visual description are some of the security seals and reports 
that help to maintain security and chain of custody. 



DRE Door Seal 

• Implemented to respondfOi 
concerns 

• Tamper evident seals are P' 
security door after opening, 
complete 

• Log of seal numbers used keg; 
Manager 

• Inspect & verify seal is intdcr^l'^ 

• Notify Elections Office if 

fampered with ^ “ 

126/06 Forsyth County Regtsfro/tons and ftocftxis 


Tamper Resistant DRE 
Door Seal 

Before Use 
After Use 



!0/26/06 


foisyth County RegHb'alio'ts orrdftectwis 


3 



Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


CHAIN OF CUSTODY FORMS 


DRE 

Recap 

Sheet 

Opening 

the 

Polls 


10/23/06 




for coTOd 



’‘Bgjofg Qpm 

Cgiim on Dvwt 

Efectrofse Vot^ 


If ih« OR€ Wtft » mrt at tero, 
turn tt»e unit off. clow e» 
md cM dw Eiec&om 



•iiiMamlWK 




DRE 


OecJai^. The Pcrfls are Qoeed’ at 7,00 PM, Any voter(s) in line al 7iCKJ PNi 
must be allowed to yofte. Position a Poll Officer at end of the line to ensure 
that anyone afnvtn 9 after 7:(X) PM is NOT allowed to vote. 


Recap 

Sheet 

Closing 
the Polls 



After last voter has voted, 
r record the time on 
Recap Sheet, 


Rea>rd the Count from 
each DF^ unit in t»e 
"After Polls Qose Count 
Nufitijer' Column, Mi 
aff counts listed s\ this 
colunto entor the total 
ntmbef in Sectkxi 8, 


Do not fill tn this line as 
jd-n we acx:um4iiale. 

Record Numbered list 
and £ledor$ list 
infoimMfon frcmi Epol. 


10/23/06 


Forsyth County Registrations and Elections 


15 



56 


Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


Part of poll worker training to assure voter access cards are not lost - 



EXIT DOOR STATION 


• Collect Voter Access Cards. 

■ Give Voter “I Have Voted” 

Stickers. 

• Return used Voter Access Cards 
to ExpressPoli Station. 

• NO Voter should exit without first 
returning Voter Access Card. 


With respect to the comment about counterfeit voter access cards gaining access to the 
voting process - all Georgia Voter Access Cards in our county are maintained in secured 
storage and are of a type that is different than those used for training or any of our 
outreach programs. Although the prior Georgia Voter Access Card may have looked like 
something used in a Laundromat, the Georgia Smartcard currently used is coded for a 
specific card style for a specific precinct in our county for a specific election. Attempts 
to duplicate a commercially available smart card with the information needed to be used 
in an election have not been successful to our knowledge. 


All election systems equipment is part of our inventory for each of our precincts and is a 
routine part of the equipment delivery and chain of custody. This includes, but is not 
limited to: dre machine numbers, TS Access Cards, Encoders etc. These are kept on file 
by precinct, poll manager and issuance date. 


Question from Representative Holt - Does confidence in the security and accuracy of 
your voting systems - confidence among all races equally - matter? Representative Holt 
quoted the both the 2004 Peach Poll httD://www.cviog.uga.edu/peachpoll/2004-0 1 -23 .p df 
and the 2005 Peach Poll http://vwvw.cviog.uoa.edu/peachpoll/2005-03-10.p dfwith 
respect to the confidence of voters. 

Confidence in the security, integrity, and accuracy of the Georgia and Forsyth County 
voting system is of the utmost concern and importance for all voters, regardless of race. 
Your comment with respect to black voters should show: the recent Peach Poll indicates 
that statewide black voters had increased by four percentage points as very confident and 
decreased by two percentage points as not at all confident. In addition, 89% of all of the 
voters surveyed indicated that they were confident that their vote was counted accurately. 
As part of the continued advancement in elections in Georgia, we now offer “no excuse” 
absentee voting by paper ballot for all voters. In addition, we have “early voting” remote 
sites set up in Forsyth County to help with those who wish to Vote In Person, but are 
unable to on Election Day. The combination of “no excuse” and “early voting” have 
proven to be very popular with our county’s voters and seemingly with the other counties 
in Georgia. 


5 



57 


Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


And m Georgia, the replacement of the state’s hodgepodge of voting equipment with a 
uniform touchscreen voting system has had an even more dramatic impact, with the 
statewide rate of uncounted votes declining from 3.5% to .39%.' Some of the biggest 
improvement in 2004 election was in heavily African-American precincts that had 
formerly used punch, cards, ^ Yet despite these improvements, the debate over electronic 
voting shows little sign of abating”. - Doug Gross, Georgia Election Data Shows Black Precincts Saw 
Biggest Voting Improvements, Ledger-Enquirer, Dec. 2, 2004, at htt p://vvww.ledaer- 

enquirer,coni/mld/ledgcrenquirer/ncws/local/I0321965.htni ; Id.', see also Charles Stewart Ifl, The Reliability of 
Electronic Voting Machines in Georgia, VTP Working Paper (Oct. 2004), available at 

http:// vvwvv.vole.caltech.edu/RepQris.^georgiastewart. pdf . 


Question from Representative Holt - If someone walked off with a memory card or a 
voting machine in your jurisdiction, would you know? 

With the security procedures that we have in place, it would not be possible for someone 
to walk off with a memory card or voting machine in Forsyth County. 


I believe some of the following comments should be considered in any review of a 
contemporaneous paper audit trail. 

“Likewise, legislative bodies should avoid mandating any particular technological fix, 
such as the contemporaneous paper record or “voter verified paper audit trail.”^ A likely 
effect of that sort of mandate is to disadvantage minority, disabled, and non-English 
speaking voters. It can also be expected to stiffe innovation by locking in a particular 
type of security .enhancement, while discouraging other possibilities that may be more 
effective and easier to implement.” - For one discussion of the “voter-verified paper audit trail,” see Kevin 
Shelley, Cal. Sec’y of State, Ad Hoc Touch Screen Task Force Report 21 (2003), available at 

hUp://www.i>s.ca.gov/e]ectjons/ta.sk force rcport.doc . 

“I conclude that, while there are legitimate reasons to be concerned about the 
implementation of DRE voting, paper should not be considered the gold standard. In 
particular, it is questionable whether adding printers to DRE machines is either a 
workable or effective solution to the vulnerabilities that exist.” - Daniel Tokaji - page 66 
Fordham Law Review - The Paperless Chase: Electronic Voting and Democratic Values 


A recent paper by Ted Selker and Jon Goler of Massachusetts Institute of Technology 
assesses the practical problems with the contemporaneous paper record.*' They find that; 

=xt[The contemporaneous paper record] complicates two of the top three problems that 
have compromised more than one percent of American votes in 2000: equipment 
problems and polling place operations. It complicates the setup, teardown, and operation 
of the ballot place. It complicates polling place procedures during the vote. It gives extra 
and difficult tasks for a person to do and increases the problems with the user experience 
and the user interface. It also increases the length of time of voting, which makes it, with 
more steps, easier to make mi^takes.5=FT 

Implementation of the contemporaneous paper record is thus considerably more 
difficult than some advocates’ public statements might suggest.” 


6 




Response from Gary J. Smith to Representative Holt’s questions - 10/26/06 


In conclusion, with the experience that I obtained in managing the recent manual audit 
of the VVPAT in Cuyahoga County - 1 agree with the comment made by Mr. Tokaji - 

“The experience of jurisdictions that have attempted to implement DREs capable of 
generating a contemporaneous paper record illustrates the practical difficulties inherent in 
making such a system work in a real-world electio n. Introducing an additional piece of 
equipment can complicate the voting process, resulting in confusion on the part of both 
voters and poll workers. The introduction of the contemporaneous paper record has 
proven to be no exception. And as described below, the device has proved problematic at 
best in jurisdictions that have attempted to use a contemporaneous paper record system 
on a limited basis.” - Daniel Tokaji - page 77 Fordham Law Review - The Paperless Chase: Electronic Voting 
and Democratic Values 


“Likewise, legislative bodies should avoid mandating any particular technological fix, 
such as the contemporaneous paper record or “voter verified paper audit trail.”^ A likely 
effect of that sort of mandate is to disadvantage minority, disabled^ and non-English 
speaking voters. It can also be expected to stifle innovation, by, locking in a particular 
type of security enhancement, while discouraging other possibilities that may be more 
effective and easier to implement. For one discussion of the “voter-verified paper audit trail,” see Kevin 
Shelley, Cal. Sec’y of State, Ad Hoc Touch Screen Task Force Report 21 (2003), available at 
http://www.ss.ca.gov/clections/taslc_force_report.doc. 




59 


Responses by Michael I. Shamos to 
Representative Holt’s Additional Questions for Witnesses 
Committee on House Administration Hearing on 
Electronic Voting Machines: Verification, Security, and Paper Trails 
September 28, 2006 

Answers to Questions for Michael Shamos 

1 . 1 expect you are familiar with the Brennan Center of Justice, working in conjunction 
with the National Institute for Standards and Technology, Ron Rivest of M.I.T, former 
White House Cyber Security Advisor for George W. Bush Howard Schmidt, and other 
security experts. The task force that produced that report conducted an exhaustive and 
comprehensive analysis of all of the major types of voting systems used in the United 
States - DREs with WP AT, DREs without, and optical scan systems. The report 
conclude! that all of the systems were vulnerable to attack and malfiinctions, and 
recommended that voter verified paper records, accompanied by routine random audits be 
used, and that the use of wireless devices be banned. As my legislation would implement 
all of those recommendations, I was very pleased not just about the report but also about 
the endorsement it received from Jeannette M. Wing, President’s Professor of Computer 
Science, Computer Science Department Head, Carnegie Mellon University - “I give my 
full support for this study. It is important for the nation to preserve our founding 
principle of democracy, which rests largely on the integrity of how we el«:t our leaders - 
our democratic process of voting.” Is your Institute for Software Research in the 
Computer Science Department at CMU? 

Answer: I declare at the outset my dismay at the personal enmity displayed by Rep. Holt 
in the formulation of this entire set of questions. They do not further legitimate 
congressional inquiry and are not calculated to repair the serious problems that have been 
identified in the text of H.R. 550. Though I may disagree with the premise of Rep. Holt’s 
bill, and find fault with it, I have never challenged his personal motives or qualifications. 

I apologize to the Committee to the extent that the tone of my answers has matched the 
malevolent spirit in which his questions were posed. 

I am familiar with the Brennan Center Report. I have read it. I am in general agreement 
with all of its recommendations, except for that of a paper trail, but I am in extreme 
disagreement with the logic and fictional scenarios used to arrive at those 
recommendations. That it has an otherwise impressive list of names associated with it is 
of no consequence if the report itself is flawed. You know from my testimony that I favor 
voter verification and random routine audits, and I am one of the loudest voices calling 
for a ban on wireless components. 

Prof Wing is head of the Computer Science Department at Carnegie Mellon Univereity, 
which is a division of the School of Computer Science. I have known her for over 20 
years. The Institute for Software Research is a co-equal division of the School of 
Computer Science, but is not part of the Computer Science Department. It does not 
report to Prof Wing, and Prof Wing is not among its faculty. It would not matter if the 


1 



60 


situation were otherwise. The value of a report does not derive from its list of endorsers, 
but from whatever value might be gleaned from its content, I think you will find if you 
ask Prof Wing how many voting systems she has examined, she would say zero. I have 
examined 1 19 of them, so if appeal to authority were a valid method of argument (which 
it is not), my opinion on the Br«inan Center Report would perhaps be of greater value 
than hers. CMU’s experts on electronic voting, namely me, Lonie Cranor, David Farber 
and Alessandro Acquisti, are associated with the Institute for Software Research, not the 
Computer Science Department. I note with amusement that of the eight “endorsements” 
publicized by the Brennan Center on its website at 

http://www.brennancenter.org/programs/downloads/MOD%20Endorsements.pdf . five we 
furnished by authors of the report, hardly an independent view. Prof Wing was one of 
three non-author endorsers. 

The Brennan Center Report is not a paragon of scientific objectivity. The participants 
were deliberately selected based on their favorable inclination toward paper trails, I am 
informed that NIST withdrew its participation when it learned of this, and requested that 
the Brennan Center remove NIST’s name from the report. So the premise of your 
question, that the Breiman Center worked in conjunction with NIST, is incorrect. 

Possibly if the reports’ external endorsers knew this to be the case they might not have 
been so free with their praise. 

It is no particular surprise that your legislation would implement the recommendations of 
the Brennan Center Report since the main poirrts H.R. 550 were suggested by some of the 
very same people who served on the Brennan Center Task Force. The implication that 
somehow the Brennan Center is therefore an independent supporter of H.R. 550 is 
incorrect. 

2. You identified that “[t]he effect of H.R. 550 would be to ban electronic voting entirely 
in Federal elections. The reason is that the bill sets forth conditions that are not met by 
any DRE system currently on the market in the United States, If it were to pass in its 
present form, there could be no more electronic votir^ in this country.” Section 2 of my 
legislation provides that every “voting system shall produce or require the use of an 
individual voter-verified paper record of the voter’s vote that shall be made available for 
inspection and verification by the voter before the voter’s vote is cast. For purposes of 
this clause, examples of such a record include a paper ballot prepared by the voter for the 
purpose of being read by an optical scanner (whether form a domestic or overseas 
location), a paper ballot created though the use of a ballot marking device, or a paper 
print-out of the paper ballots produced by a touch screen or other electronic voting 
machine, so long as in each case the record permits the voter to verify the record in 
accordance with this subparagraph.” Thus, touch screen machines, optical scan machines 
and ballot marking devices are all explicitly allowed by my legislation. Can you explain 
specifically which electronic systems you believe this legislation would outlaw.? 

Answer: I believe that H.R. 550 is not quoted correctly in your question. The phrase 
“paper print-out of the paper ballots produced by a touch screen or other electronic voting 


2 



61 


machine” should instead read “paper print-out of the voter’s vote produced by a touch 
screen or other electronic voting machine.” 

H.R, 550 would outlaw all DRE machines currently on the market in the United States. It 
would allow optical scan and ballot marking devices which mark optical scan ballots. It 
is not sufficient to say that “touch screen machines ... are .. explicitly allowed by my 
legislation.” They may be expressly “allowed” but they are implicitly disallowed by the 
conditions the legislation places on them. For example, I might propose a bill that allows 
automobiles but requires them to get 150 miles per gallon of gasoline. Since no car 
achieves this, it implicitly outlaws cars while purporting to permit them. Likewise, your 
simultaneous requirement for a paper trail and voter secrecy is not currently satisfied by 
any paper trail machine. All sequential paper trail machines are automatically 
disqualified. Even Barbara Simons, a staunch paper trail advocate, so testified at the 
hearing on Sept. 28. The cut sheet machines (such as Avante), print indicia on the ballot, 
such as codes and identification numbers, that can be used by a voter to identify his ballot. 

3 . You stated in your testimony that “the bill as written mandates a system that would 
violate constitutional and statutory provisions in more than half of the states. The secret 
ballot is regarded as an essential component of American democracy. Each one of the 
DRE paper trail systems that are currently on the market either enables voters to sell their 
votes, or allows the government and the public to discover precisely how each voter in a 
jurisdiction has voted. I cannot believe that the numerous sponsors of this legislation 
contemplated such an outcome.” The sponsors of HAVA already required a “permanent 
paper record with a manual audit capacity,” and the DREs you have certified for use in 
Pennsylvania presumably meet that requirement or I assume you would not have certified 
them. Can you explain how it is that the internal paper record produced by those DREs 
(which is not verifiable by voters) preserves the privacy of voters, while an external 
version of the same thing (which is verifiable by voters) does not? If either voters are 
randomly shuffled (directed to different voting booths) or the paper records are shuffled 
by each machine, do you think the secrecy of any voters ballot is compromised? 

Answer: It should be noted that I do not certify voting systems. I examine them and write 
reports recommending a grant or denial of certification. My reports are reviewed by the 
Pennsylvania Commissioner of Elections, the state’s HAVA Coordinator, the counsel for 
the Department of State and the Secretary of the Commonwealth. It is the Secretary who 
makes the ultimate decision on certification. I do not deny that I have a significant role in 
the process, but my recommendations are subject to extensive review. 

All machines certified in Peimsylvania have the capability of producing a “permanent 
physical record of each vote cast, as required by 25 P. S. §303 1 . 1 . This requirement was 
enacted in 1980, predating HAVA by 22 years. They also satisfy the HAVA requirement 
of a “permanent paper record with a manual audit capacity for such system.” 42 U.S.C. 
§15481(a)(2)(B)(i). This is done in different ways by different vendors, but in general it 
consists of maintaining ballot images (cast vote records) in randomized order so they 
cannot be associated with any particular voter. The file of ballot images (randomized) 
can be printed out after the close of polls either at the original voting machine or at 


3 



62 


county central after results have been uploaded, or both. Sequential paper trail machines 
cannot shuffle any ballots and are completely non-random. Thus they are not an 
“external version of the same thing,” as your question suggests. 

Shuffling the paper records produced by the cut-sheet machines is not sufficient since 
each ballot has a unique identification code. Directing voters to different voting booths 
does not work for several reasons: (1) In Massachusetts, for example, DREs are used only 
for the disabled and no polling location has more than one machine. Therefore, the ballot 
of every disabled person is exposed in a recount; (2) HAVA itself provides that its 
accessibility requirements can be satisfied by having a single accessible machine in each 
polling place; (3) Even if there is more than one machine, there is no law that prevents 
any citizen from remaining in the polling place all day long and recording the machine on 
which each voter votes. But it is not even necessary to go to such lengths. Voter privacy 
forbids anyone fl'om knowing how even one voter voted. So if someone watched which 
machine the first voter of the day used, that vote would be exposed. Likewise, if the 
machine on which the last voter voted is known, that voter’s choices would also be 
exposed; (4) In some jurisdiction, such as Peimsylvania, the law requires the judge of 
elections to assign a sequential number to voter and to record that number on the poll list. 
This provides a one-to-one mapping between voters and the sequential paper trail. 

The fact that one or two small vendors produce cut-sheet WPATs is of only minor 
consequence. The WPAT systems of all the major manufacturers, Diebold, ES&S, 
Sequoia and Hart InterCivic, are all sequential. Replacing those systems, as H.R. 550 
would require, would cost additional billions of dollars. 

4. 1 understand you were instrumental in Pennsylvania’s certification of the Diebold TSx. 

a. Have you verified that the Diebold TSx does not have the same class of vulnerabilities 
as those described in the Diebold TS by Felten and his students? 

b. If so, please explain what Diebold had done to address these vulnerabilities and why 
you believe these steps to be sufficient. 

c. If not, did you recommend that Pennsylvania certify this machine? Why did you make 
the recommendation that you did? 

Answer: I was the examiner for the Diebold TSx and I recommended that it be denied 
certification following an examination in July 2005. I recommended its certification after 
a re-examination in November 2005 . The certification was granted by the Secretary of 
the Commonwealth, pursuant to statute, not by me. 

a. The Diebold TSx exhibits one of the vulnerabilities identified by Harri Hursti and 
subsequently studied by Prof Felten. A knowledgeable intruder who gains access to the 
machine in secret is able to replace its software. The viral spread identified by Felten on 
the TS is not possible on the TSx because replacement of the software requires user 
acknowledgement on the TSx, so the software cannot spread without human cooperation. 


4 



63 


b. I am not a spokesperson for Diebold. However, I am informed that Diebold has 
submitted a new version of TSx for ITA examination that would eliminate the 
vulnerability. I am further informed that testing on this version is not yet complete. 

Since I do not know what solution has been implemented by Diebold, I can’t say whether 
or not it is sufficient. 

c. When I recommended that the machine be certified in January 2006, these 
vulnerabilities had not yet been discovered. The system had been federally qualified and 
passed all tests for conformance with state law. There was no rational basis on which to 
deny certification. Had the Secretary denied certification when the system conformed to 
the requirements of HAVA and Pennsylvania law, a vendor lawsuit to reverse such a 
clearly erroneous determination would have been successful. 

5. You acknowledge that security vulnerabilities have been demonstrated by Hursti, 

Felten and others. You go on to say, “Some of these vulnerabilities are severe and 
require immediate repjur. But the point is that they are easily remedied.” 

d. If so, why were they security vulnerabilities not remedied initially? 

e. How do you know that the security vulnerabilities that have been uncovered by 
computer security experts have not already been exploited to rig elections? Precisely 
how do you prove that election rigging has not already occurred using paperless DREs. 

f You assert that the vulnerabilities are easily remedied. Please explain in detail just 
how to remedy easily the vulnerabilities uncovered by Hursti, Felten, et al. 

g. Even if the security vulnerabilities were easily remedied, how will the remedies be 
applied to the voting systems currently in use? Please respond in particular to the fact 
that one of the vulnerabilities uncovered by Felten requires changes to the hardware in 
order to be remedied. 

Given that independent computer security experts such as Rubin, Felten, and Hursti have 
been able to examine only Diebold machines, how do you know that similar security 
vulnerabilities don’t exist on DREs produced by other vendors? 

Answer: 

d. The security vulnerability Hursti II/Felten was remedied in Pennsylvania immediately 
after it was discovered. Pennsylvania is the only state in which I had sufficient influence 
to urge such a step successfully. Hursti I, relating to use of AccuBasic on optical scan 
memory cards, has not been remedied and the system that exhibits that vulnerability 
(Diebold AccuVote OS) was denied certification in Pennsylvania. 

e. The answer is simple. Since there are no paperless DREs in Pennsylvania, no election 
has ever been held using them, so no election could have been rigged on a paperless DRE. 
All DREs have paper audit trails, but they are not necessarily shown to the voter. I 


5 



64 


presume you mean a DRE with a WPAT. DREs with WP ATs do not necessarily 
expose election rigging, either, unless every voter check the paper trail and the paper is 
used to recount the election. The mere existence of a WPAT may deter, but does not 
prevent, rigging. 

I don’t know whether the vulnerabilities have ever been exploited to rig a DRE election, 
but there is no evidence that they have been. I can’t prove it, but neither is there any 
statute or regulation requiring such proof To believe that rigging has occurred, one must 
give credence to a very imlikely, but not impossible, series of events: (1) the intruder 
must craft a program that only behaves badly during an election, and at no other time; (2) 
the intruder must leave no evidence of tampering, physical or otherwise; (3) the intruder 
must choose carefiilly how many or what percentage of votes to swap so as not to arouse 
undue suspicion; (4) the intruder must arrange to affect enough machines to alter the 
outcome of an election; (5) the intruder must cause his program to erase any trace of itself 
and replace itself with the authorized software without leaving any evidence; and (6) 
every intruder who has ever attempted such an intrusion must have succeeded perfectly, 
or we would have evidence of his attempt. It’s not impossible, but there is no reason 
whatsoever to believe it has happened. One might ask for proof that Martians are not 
living among us. There’s no proof they aren’t, but there’s no credible evidence that they 
are, either. Meanwhile, the whole time that people have been arguing over the security of 
DREs, real elections have regularly been stolen through simple manipulation of paper 
ballots. This has always been true and it remains true today. For an illuminating 
treatment, see “Deliver the Vote: A History of Election Fraud, an American Political 
Tradition, 1742-2004,” by Tracy Campbell (2005). 

f Prof Felten is proud to demonstrate that he can rig a voting machine in one minute. In 
Pennsylvania we used the very same method to unrig the voting machines (assuming they 
had been rigged) in a minute. As I explained during my testimony, 16 copies of the 
certified software were obtained on memory cards from the IT A, one for each Diebold 
county in Pennsylvania. The copies were individually distributed to those counties. 

They were instructed at the time when the machines were to be prepared publicly for the 
election to insert the authorized memory card and answer “yes” to the questions asking 
whether to replace the machine’s firmware and software. This was done for each 
machine in each of the 16 counties. At this point the machines had the authorized, 
certified software. If anyone had previously tampered with them, and there was no 
evidence that anyone had, the effect of the tampering would have been nullified. 

Hursti I, involving report generation software on opscan memory cards, is easily 
remedied be either disabling the AccuBasic mechanism or digitally signing the 
AccuBasic files. Since this has not yet been done by the vendor, the machines affected 
by the vulnerability are not certified in Pennsylvania. 

g. The answer to (g) is the same as my answer to (f). In some cases, field re-installation 
of the certified software is required for each machine. The vulnerability identified by 
Prof Felten that he says requires a hardware change is the fact that someone who gains 
access to the machine can replace various physical components within, including ROM 


6 



65 


chips, and in effect transform the machine into a totally different machine. That is of 
course correct, and it applies to every computer system on Earth. The argument applies 
equally well to paper trails and bank vaults. Someone who has access to the paper trail 
can alter it; someone who has access to the bank vault can remove the money. Therefore, 
it is important to keep people away from voting machines and bank vaults. 

One might equally imagine entire impostor machines being substituted for the real ones, 
and equally fanciful hypotheses. The fact that someone is able to dream up a 
hypothetical attack does not mean that we need to discard DREs, and it certainly does not 
mean that we need to require paper trails, which now after field testing have shown 
themselves to be unwieldy and unreliable. In many cases the remediation of security 
problems consists not in software changes but in application of administrative and 
physical procedures. 

Re: similar vulnerabilities on other machines. The identified vulnerabilities depend on 
architectural aspects of the Diebold systems that are not shared by any other systems. 



7 


66 


The Chairman. Welcome, Representative Holt. We are pleased to 
have you here. This is one of the few times in the Congress when 
you will find two physicists sitting at the front desk listening to 
testimony. 

At this time, I would like to recognize the Ranking Member, Ms. 
Millender-McDonald, for any opening remarks she may have. 

Ms. Millender-McDonald. Thank you, Mr. Chairman, and g:ood 
morning to you and all the witnesses and guests here this morning. 
I would like to thank you, Mr. Chairman, for calling this very im- 
portant hearing on electronic voting machines. I am sure that you 
have heard from your constituents and constituents around the 
country, as I have heard, that folks are wary about these voting 
machine apparatuses and they are not sure whether or not they 
are working. 

Let me also thank you, Mr. Chairman, for welcoming Congress- 
man Russ Holt to sit on the panel this morning. It was just 6 years 
ago that the 2000 Presidential election brought to light many prob- 
lems with the elections process in our country. We encountered a 
wide range of frustrations with the election administration. Some 
of the most infamous problems involved punch cards with all of the 
hanging chads that the Chairman has just shown you. Others in- 
volved voters who were turned away from the polls without the op- 
portunity to cast a vote. 

In response, this committee worked diligently and passed the 
Help America Vote Act, which is HAVA, to rid the country of out- 
dated voting equipment and to ensure no eligible voter is turned 
away from the polls without casting a vote. Despite the passage of 
HAVA, however, many problems still remain, as we witnessed dur- 
ing the 2004 election and in several primaries this year. 

Today I hope to hear about methods of addressing these issues, 
even if we may not be able to implement suggested recommenda- 
tions before the November election. I also hope that this oversight 
hearing will serve as a forum for the American people to gain con- 
fidence in direct recording electronic voting system machines. 

After the 2000 election, DRE, as we call them, machines were 
viewed as the answer to hanging chads and century-old lever ma- 
chines. DRE machines also allowed individuals with disabilities to 
vote in private and without assistance for the first time. They have 
also been supported by a number of civil rights organizations, given 
the ease with which they are able to be programmed to display bal- 
lots in foreign languages. 

However, as we are aware, many concerns have been raised 
about the integrity and the reliability of these DRE machines. In 
fact, at times it may be seen that these machines have raised many 
more questions than answers. For example, some have called for a 
voter-verified paper audit trail for DRE machines. Some States al- 
ready require this function for DRE machines. 

But even this similarly simple method raises numerous concerns. 
For example, when mechanisms serve as the official — what mecha- 
nism serves as the official record in a recount? That is a question 
that has been raised often. What happens when the printer jams? 
Would the votes which were properly recorded by the DRE be 
thrown out if they are not similarly recorded on the paper? Those 
are the questions that have been raised often. 



67 


I am also interested in hearing from our witnesses, especially the 
local election officials, regarding their views about the wisdom of 
imposing a Federal mandate which would specify which type of 
election equipment should he used. These decisions have mostly 
been left up to the State and local officials throughout our country’s 
history, and I would like to know what the impact of a Federal 
mandate and a standard in this area would be, what precedent it 
would set for future election administration mandates on the 
States by the Federal Government, and how these mandates would 
be funded. 

In addition to discussing established concerns about DRE ma- 
chines, I hope the witnesses invited today will address the security 
of all voting equipment. Only one-third of Americans will cast bal- 
lots on DRE machines, and although that number is growing, it 
still means that two-thirds of our voters will be casting ballots 
using other methodologies. Are these machines secure, are they re- 
liable, are they subject to a suitable level of scrutiny? 

I am concerned that all of the media attention to voting security 
will inadvertently discourage voters from going to the polls, result- 
ing in voter suppression. As we witnessed a few weeks ago in 
Maryland, voting machine reliability, stability and accuracy was 
not the inherent cause of mayhem. The lack of poll-worker training 
and other human factors of election administration caused prob- 
lems and confusion at the polls for both voters and poll workers. 
If we do not adequately address all of these issues, voters may feel 
as if their votes will not be counted and decide not to participate 
on election day. 

This is one reason why I offered an amendment to double the 
funding for the college poll-worker training program. This program 
encourages college-age students to serve as poll workers and to be- 
come more involved with the election administration process. 

The electoral process is not perfect, Mr. Chairman. Improve- 
ments to the electoral process itself still need to be made. Fortu- 
nately, the Help America Vote Act of 2002 is a solid foundation 
upon which we can institute further electoral improvements. HAVA 
made it easier for voters to cast a ballot and harder for people to 
knowingly commit crime and fraud, which is why we need to appro- 
priate the remaining $800 million balance which was authorized in 
title 2 of HAVA to fully fund the States and give HAVA a chance 
to work. 

As I have stated in the past, it is guaranteed that your vote will 
be lost if you don’t cast a ballot. I would encourage every eligible 
voter to cast a ballot, no matter how harsh the rhetoric about the 
November elections and no matter how that ballot is cast: by DRE 
machines, absentee ballots, provisional ballots or whatever. Ameri- 
cans need to get out in November with the confidence that their 
vote will be counted correctly. Exercising this precious right is 
more important than the outcome of the elections, Mr. Chairman. 

I hope we can convene additional hearings in the future to exam- 
ine any shortcomings in election administration and any impedi- 
ments that voters experience in exercising their constitutional 
rights. 

I look forward to working with the Chairman and other members 
to continue to improve the voting process and I will continue to 



68 


seek full funding of the Election Assistance Commission title 2 
grants to ensure that the EAC can continue its crucial work to im- 
prove the electoral process. Even if one voter is disenfranchised, 
that is one voter too many. Thank you, Mr. Chairman. 

[The information follows:] 



69 


CHA Oversight Hearing on 

Electronic Voting Machines: Verification, Security, and Paper Trails 
September 28, 2006 
10:00 AM 

1310 Longworth House Office Building 


OPENING STATEMENT OF 

REP. JUANITA MILLENDER-MCDONALD, RANKING MEMBER 

Good morning Mr. Chairman, witnesses and guests. I want to thank the Chairman for 
calling this very important hearing on electronic voting machines. It was just six years 
ago that the 2000 Presidential election brought to light many problems with the elections 
process in our country. We encountered a wide range of frustrations with election 
administration. Some of the most infamous problems involved punch cards with hanging 
or pregnant chads. Others involved voters who were turned away from the polls without 
the opportunity to cast a ballot. In response, this Committee worked diligently and 
passed the Help America Vote Act (HAVA) to rid the country of outdated voting 
equipment and to ensure that no eligible voter is turned away from the polls without 
casting a ballot. 

Despite the passage of HAVA, many problems still remain, as we witnessed during the 
2004 election and in several primaries this year. Today I hope to hear about methods of 
addressing these issues, even if we may not be able to implement suggested 
recommendations before the November election. I also hope that this oversight hearing 
will serve as a forum for the American people to gain confidence in direct recording 
electronic voting system (DRE) machines. 

After the 2000 election, DRE machines were viewed as the answer to hanging chads and 
century-old lever machines. DRE machines also allowed individuals with disabilities to 
vote in private and without assistance for the first time. They have also been supported 
by a number of civil rights organizations given the ease with which they are able to be 
programmed to display ballots in foreign languages. However, as we are aware, many 
concerns have been raised about the integrity and reliability of these DRE machines. In 
fact, at times it may seem that these machines have raised many more questions than 
answers. 

For example, some have called for a Voter Verified Paper Audit Trail for DRE machines. 
Some states already require this function for DRE machines. But even this seemingly 
simple method raises numerous concerns. For example, what mechanism serves as the 
official record in a recount? What happens when the printers jam? Would the votes 
which were properly recorded by the DRE be thrown out if they are not similarly 
recorded on the paper? 



70 


I am also interested in hearing from our witnesses, especially the local election officials, 
regarding their views about the wisdom of imposing a federal mandate which would 
specify what type of election equipment should be used. These decisions have mostly 
been left up to state and local officials throughout our nation’s history and I would like to 
know what the impact of a federal standard in this area would be, what precedent it 
would set for future election administration mandates on the states by the federal 
government, and how these mandates would be funded. 

In addition to discussing established concerns about DRE machines, I hope the witnesses 
invited today will address the security of all voting equipment. Only 1/3 of Americans 
will cast ballots on DRE machines, and although that number is growing, it still means 
that 2/3 of our voters will be casting ballots using other methods. Are these machines 
secure? Are they as reliable? Are they subject to a suitable level of scrutiny? 

I am concerned that all of the media attention to voting security will inadvertently 
discourage voters from going to the polls, resulting in voter suppression. As we 
witnessed a few weeks ago in Maryland, voting machine reliability, security, and 
accuracy were not the inherent causes of mayhem. The lack of poll worker training and 
other human factors of election administration created problems and confusion at the 
polls for both voters and poll workers. If we do not adequately address all of these 
issues, voters may feel as if their votes will not count and decide not to participate on 
Election Day. This is one reason why I offered an amendment to double the funding for 
the college poll worker training program. This program encourages college-age students 
to serve as poll workers and to become more involved with the election administration 
process. 

The electoral process is not perfect. Improvements to the electoral process itself still 
need to be made. Fortunately, the Help America Vote Act of 2002 (HAVA) is a solid 
foundation upon which we can institute further electoral improvements. HAVA made it 
easier for voters to cast a ballot and harder for people to knowingly commit fraud, which 
is why we need to appropriate the remaining $800 million dollar balance, which was 
authorized in Title II of HAVA, to fully fund the states, and give HAVA a chance to 
work. 

As 1 have stated in the past, it is guaranteed that your vote will be lost if you don’t cast a 
ballot. I would encourage every eligible voter to cast a ballot, no matter how harsh the 
rhetoric about the November elections, and no matter how that ballot is cast - by DRE 
machine, absentee ballot, provisional ballot or otherwise. Americans need to get out and 
vote in November with the confidence that their votes will be counted correctly. 
Exercising that right is more important than the outcome of the elections, Mr. Chairman. 
I hope we can convene additional hearings in the fiiture to examine any short coming in 
election administration, and any impediments that voters experience in exercising their 
constitutional rights. 

I took forward to working with the Chairman and other Members to continue to improve 
the voting process and I will continue to seek full funding of the Election Assistance 
Commission Title II grants to ensure that the EAC can continue its crucial work of 



71 


improving the electoral process. Even if one voter is disenfranchised, that is one voter 
too many. 

Thank you again, Mr. Chairman, for convening this hearing. I look forward to hearing 
the testimony of all the witnesses. 

m# 



72 


The Chairman. I thank the Ranking Member for her comments, 
and I especially want to reinforce something you said. Voting in 
this nation has traditionally been controlled and operated by the 
local municipalities, cities, townships, counties and by the states. 
The only reason the federal government entered this is because of 
the problems with a federal election of a president in 2000, and we 
continue to have great respect for the localities and the States 
which have the responsibilities for implementation. We are simply 
trying to establish standards only for the federal elections. 

Ms. Lofgren, do you have an opening statement? 

Ms. Lofgren. Thank you, Mr. Chairman. I am glad that we are 
having this hearing today and delighted that we are joined by our 
colleague, Mr. Holt, the author of H.R. 550. I am inclined to think 
that Mr. Holt’s approach is the right one, but I have declined to 
be a coauthor of this bill until this hearing because I wanted to try 
and keep an open mind on this subject and listen to the witnesses, 
without being a coauthor of the bill. But coming from Silicon Val- 
ley, you can imagine that I have had consideraWe input from peo- 
ple who are quite skilled, and I guess the question that needs to 
be answered is can this election be hacked. 

There are many issues, I am sure we will get into them today, 
but the integrity of the election process is absolutely essential to 
the sustenance of a vigorous democracy. Elections do count, as we 
know. And the direction that our country is going in will be decided 
by elections. If we can’t know for a certainty that that process is 
not corrupted, then it really goes to the core of the spirit of our Na- 
tion and our future as a democracy. 

So I realize we are not in a markup mode here today, we are 
here to get information. I am going to listen very carefully to all 
the witnesses, but I am hopeful that we could take quick action be- 
cause this — my own State of California has already moved in the 
direction that Mr. Holt is suggesting with the verifiable paper 
audit trail. We need to be able to let the voters of America know 
that their elections are on the up-and-up and their vote really does 
count and the election has not been hacked. 

So with that, Mr. Chairman, I thank you for holding this hearing 
and I will yield back because I am eager to hear a very large panel 
of witnesses before we are called to vote. Thank you very much. 

The Chairman. Thank you for your statement. 

Mr. Holt’s statement will be entered into the record as we men- 
tioned earlier. 

In setting up the panel for this hearing I was determined to try 
to get the broadest representation possible. I would have had to 
have 27 witnesses to totally accomplish that, but the fact is that 
we have tried very hard, as indicated by the large number of wit- 
nesses we do have. 

I am very pleased with the quality of the witnesses who agreed 
to appear and we now turn to Dr. Felten for his testimony. He is 
a professor in the Department of Computer Science at Princeton 
University, which also happens to be Mr. Holt’s district. He re- 
cently completed a study of an electronic voting system and will 
give us a report on his findings. I also understand you have a dem- 
onstration for us. Dr. Felten. You may begin. 



73 


STATEMENT OF EDWARD W. FELTEN, PROFESSOR, DEPART- 
MENT OF COMPUTER SCIENCE, PRINCETON UNIVERSITY 

Mr. Felten. Thank you, Mr. Chairman, and members of the 
committee for the opportunity to testify today 

Ms. Loegren. Mr. Chairman, there are lights on that. Is there 
a way — much better. 

Mr. Felten. From a security standpoint what distinguishes com- 
puterized voting systems from traditional systems is not that com- 
puters are easier to compromise but that the consequences of com- 
promise can be so much more severe. Tampering with an old-fash- 
ioned ballot box can affect a few hundred votes at most, but inject- 
ing a virus into a single computerized voting machine can poten- 
tially affect an entire election. 

Two weeks ago my colleagues, Ariel Feldman and Alex 
Halderman, and I released a detailed security analysis of this ma- 
chine, the Diebold AccuVote-TS which was used in Maryland, Geor- 
gia, and elsewhere. My written testimony summarizes the findings 
of our study. 

One main finding is the machines are susceptible to computer vi- 
ruses that spread from machine to machine and silently transfer 
votes from one candidate to another. Such a virus requires mod- 
erate computer programming skills to construct. Launching it re- 
quires access to a single voting machine for as little as 1 minute. 

I will now demonstrate this using a virus we constructed in our 
laboratory. We have set up here a simulated election for President 
between George Washington and Benedict Arnold. It is election day 
morning and we just opened the polls. No votes have been cast yet. 
I will start by casting the first vote. When I checked in at the poll- 
ing place at the front desk, the poll worker gave me this voter card 
which I now insert into the machine. I press the start button and 
I choose to cast my vote for George Washington. The machine asks 
me to confirm my choice and I confirm my choice and cast my bal- 
lot. 

The second vote is similar. I insert another voter card, I choose 
George Washington again, and again I confirm and cast my ballot. 
The third voter inserts another voter card and votes again for 
George Washington. The correct vote count in this election obvi- 
ously is George Washington, three; Benedict Arnold, zero. 

Now it is the close of election day. A poll worker inserts a special 
supervisor card into the machine, enters a PIN code, and tells the 
machine to end the election and tally the votes. The machine will 
now print out a paper tape summarizing the ballot count. When I 
cast my votes earlier my choice of candidate was recorded in the 
machine’s electronic memory. This record of my vote was invisible 
to me. I had no way of verifying whether it was recorded correctly 
or whether it was changed after it was recorded. 

In this machine the records were modified by our virus. This 
paper tape printed out by the machine reports the elections result. 
It shows George Washington with one vote and Benedict Arnold 
with two. Every record in the machine and outside the machine is 
consistent with this fraudulent result. 

Our technical report referenced in my written testimony goes 
into considerable detail about this problem and explains why exist- 
ing election procedures are not sufficient to prevent it. One lesson 



74 


is that security depends on getting the technical details right. Too 
often the designers of this machine fail to get the details right. A 
good example is the access door here on the side of the machine. 
It protects the removable memory card that stores the votes, so the 
door should be locked securely and access to the keys should be 
strictly limited; but in fact tens of thousands of AccuVote machines 
can all be opened with the very same key, and this very same key 
is used widely in office furniture, jukeboxes and even hotel 
minibars. It is easily purchased on the Internet. This one I bought 
online from a jukebox supply shop and it does open the machine. 

The implications of our study go beyond just this machine and 
reveal broader systemic problems. More worrisome than any spe- 
cific vulnerability is that this system, despite its many problems, 
was certified, purchased and deployed by many States and counties 
and has been used in important elections. 

We can do more to improve the security of our e-voting. I detail 
many recommendations in my study and written testimony, but 
one important safeguard is a voter-verified paper audit trail. A 
well-designed paper trail can improve security and enhance voter 
confidence without compromising accessibility. Certainly paper 
records have their drawbacks, but they have different failure 
modes than electronic records do and the combination of electronic 
and paper records can be more robust against fraud than either 
one would be alone. 

Getting the details of voting right is difficult, especially in today’s 
high-tech polling place, but failure is not an option. The stakes are 
too high and the risk of malfunction or fraud too great to make our 
current course tenable in the long run. 

Election experts, accessibility experts, and computer security ex- 
perts all have a role to play in improving our voting system. If we 
work together we can solve this problem and give the American 
people the voting system they deserve. 

Thank you for your time and attention. 

The Chairman. Thank you very much for your testimony. 

[The statement of Mr. Felten follows:] 



75 


Testimony of Edward W. Felten 

Professor of Computer Science and Public Affairs, Princeton University 

United States House of Representatives, Committee on House Administration 

Hearing on 

Electronic Voting Machines; Verification, Security, and Paper Trails 
September 28, 2006 

Open the lid of an electronic voting machine and look inside; what you will see is 
a computer, much like an ordinary desktop PC or Mac. Because they are computers, e- 
voting machines are susceptible to familiar computer problems such as crashes, bugs, 
mysterious malfunctions, data tampering, and even computer viruses. The question is 
not whether we can eliminate these problems - we cannot - but how we will cope with 
them. 

Unlike ordinary desktop computers, e-voting systems are entrusted with the most 
important process of our democracy - collecting and counting votes - and must perform 
that process accurately, reliably, accessibly, and securely. Trust in election outcomes is 
necessary for our electoral system to work, but the political system often does not lend 
itself easily to trusting relationships. Voting technologies must help to build this trust. 
Today’s e-voting infrastructure is not up to the task, but tomorrow’s can be. 

Two weeks ago Ariel J. Feldman, J. Alex Halderman, and I released a paper 
analyzing in detail the security of the Diebold AccuVote-TS, one of the most widely used 
e-voting systems. The main findings of our study were as follows: 

1 , Malicious software running on a single voting machine can steal votes with 
little if any risk of detection. The malicious software can modify all of the 
records, audit logs, and counters kept by the voting machine, so that even 


1 



76 


careful forensic examination of these records will find nothing amiss. We 
have constructed demonstration software that carries out this vote-stealing 
attack. 

2. Anyone who has physical access to a voting machine, or to a memory card 
that will later be inserted into a machine, can install said malicious software 
using a simple method that takes as little as one minute. In practice, poll 
workers and others often have unsupervised access to the machines. 

3. AccuVote-TS machines are susceptible to voting-machine viruses — 
computer viruses that can spread malicious software automatically and 
invisibly from machine to machine during normal pre- and post-election 
activity. We have constructed a demonstration virus that spreads in this way, 
installing our demonstration vote-stealing program on every machine it 
infects. 

4. While some of these problems can be eliminated by improving Diebold's 
software, others cannot be remedied without replacing the machines' 
hardware. Changes to election procedures would also be required to ensure 
security. 

Our web site at http;//itpolicy.princeton.edu/voting has links to our full technical report 
and a ten-minute video showing our demonstration vote-stealing virus in operation. The 
technical report goes into considerable detail and includes a discussion of why existing 
election procedures are not sufficient to prevent virus attacks. While we are not alleging 
fraud in any specific past election, our results do raise serious concern about the security 
of future elections. 


2 



77 


One lesson of our study is that security depends on getting the technical details 
right. A security measure that sounds robust in the abstract may be useless or worse if 
implemented poorly. Too often, the designers of the AccuVote-TS failed to get the 
details right, 

A good example is the AccuVote-TS access door. The access door on this 
machine protects the removable memory card that stores the votes, so the door should be 
locked securely and access to the keys should be strictly limited. In fact, the tens of 
thousands of AccuVote-TS machines can all be opened with the same key, and this very 
same key is used widely in office furniture, jukeboxes, and even hotel minibars. 1 
bought several keys on the Internet from an office furniture shop and a jukebox supply 
shop, and they all open the AccuVote-TS. Details matter. It is not enough to have a key; 
it matters which key you use. 

Some voting machines, including the AccuVote-TS, record votes internally in a 
computer file, with the votes stored in the order they were cast. This approach endangers 
the secrecy of the ballot. If election procedures record the order in which voters cast their 
votes (or allow partisan observers to do so, as is the practice in my polling place), then a 
sequential record of the votes can be correlated with the order of voters to reconstruct the 
ballots cast by individual voters. The AccuVote-TS is one voting machine that gets this 
detail wrong. 

The AccuVote-TS suffers from many such problems. It encrypts stored votes, but 
stores the secret decryption key where it is easily found by hostile software. It keeps two 
redundant copies of each stored vote, but both copies are subject to easy tampering. 


3 



78 


Some of these errors are more technical in nature than the access-door key error and the 
vote-recording error, but they are just as serious. 

The implications of our study go beyond the specific voting machine we studied 
to reveal broader systemic problems. More worrisome than any specific vulnerability is 
that, despite its many problems, the system we studied was certified, purchased and 
deployed by many states and counties, and is slated for use in the upcoming November 
election. This leads us to conclude that existing certification and procurement 
procedures are inadequate to prevent the kinds of serious vulnerabilities we discovered. 
Here again the details matter, and too often current processes get the details wrong. 

Though some claim that election procedures will prevent the kinds of problems 
we identified, the rigid procedures described in vendor manuals are often ignored in 
practice. Machines are supposed to be sealed with numbered security tape; but missing 
or broken tape is usually ignored, and election workers often break the tape themselves 
when trying to revive malfunctioning machines. Machines and removable vote-storage 
media are theoretically kept under lock and key, but in practice they are often sent home 
with election workers or left unattended. At my polling place in Princeton, the night 
before an election, the DRE machines sit unattended in an unlocked elementary school 
lobby where anyone could tamper with them. Stringent official procedures only matter 
if they are followed in practice. 

There are several things we can do to improve the security of our e-voting 
infrastructure. 


4 



79 


In the short term, some limited steps are still feasible before November. Given 
the susceptibility of some e-voting systems to electronic tampering, we should take extra 
care to secure the chain of custody for voting machines and vote-storage media from now 
until Election Day. This cannot repair machines that have already been tampered with, 
but it can reduce the likelihood of further tampering. Needless to say, what we need is 
not more memos laying down theoretical procedures, but detailed execution to narrow the 
gap between procedural theory and practice. 

In the medium term, 1 offer three recommendations. First, we should fix the 
certification process to better account for security. Certification seems to focus on 
machine attributes that are easily tested, but security problems are difficult to detect by 
testing because no predetermined set of test scenarios can account for the tactics of a 
clever adversary who systematically exploits gaps in a system. 

In practice, the certification process often misses security problems that are 
simple but very dangerous. For example, the AccuVote-TS system we studied will 
silently accept and install any software update offered by any memory card that is 
inserted into the system. The system makes no effort to verify that the offered update is 
authorized by the vendor, election officials, or anyone else. This is a very serious 
weakness that opens the door to the injection of malicious software and the silent, 
automatic spread of viruses. Yet the system was certified despite this obvious 
vulnerability. The existing certification process seems unable to detect such problems 
reliably. It must be improved. 

Second, a voter-verified paper audit trail (VVPAT) is a necessary safeguard 
given the state of the art today. With these paper trails, as with other voting 


5 



80 


technologies, we must get the details right - poorly designed paper trails can be 
unreliable or hard to use, or can compromise the secrecy of the ballot - but a well- 
designed paper trail can improve security and enhance voter confidence, without 
compromising accessibility. 

In comparing VVPATs with paperless DREs, we must compare apples to apples. 
For example, we must not compare a VVPAT that compromises the secret ballot by 
recording votes in the order cast (e,g., on a continuous roll of paper) with a paperless 
DRE that gets this detail right. Instead, we must assume good engineering in both cases, 
and weigh the significant security benefits of VVPATs against their costs. 

Paper records, either VVPATs or traditional paper ballots, have their drawbacks. 
They are not immune to fraud. What is important is that they have different failure 
modes than electronic records, so that the combination of electronic and paper 
recordkeeping, if implemented well, can be more robust against iraud than either would 
be alone. 

One aspect of a well-implemented VVPAT system is that the electronic and paper 
records must be compared to each other. We do not need to verify every paper record, 
just enough to detect large-scale fraud. Unless an election is very close - which will 
probably trigger a full recount anyway - checking a few percent of ballots will suffice. 
Similarly, it is not necessary for every voter to read and verify the paper record of his 
vote; as long as even a few voters do so, any tampering widespread enough to be 
significant will be easily detected. 

Third, we must do more to leverage the expertise of independent security experts. 
Independent analyses, by experts neither paid by nor reporting to voting machine 


6 



81 


vendors, have discovered many areas for improvement in today’s technologies, yet most 
vendors systematically try to prevent such analyses. For example, my colleagues and I 
would be happy to examine other versions of Diebold’s AccuVote-TS or AccuVote-TSx 
software to determine whether they are subject to the vote-stealing vims problems we 
have identified; but Diebold refuses to let election officials call on us for this purpose. 
Other vendors follow a similar policy of resisting public study and discussion of the 
technologies that count our votes. 

In the long run, further research is needed to help us understand how to improve 
the voting system. For example, fully electronic verification technologies may one day 
be a viable substitute for VVPATs, once researchers have worked out the details 
necessary to deploy them in the real world accessibly and securely. We also need more 
systematic studies of what really happens in polling places, especially when problems 
arise. Finally, there is much to learn from work in other areas of computer security - 
today, even video game consoles like the Xbox are more tamper-resistant than voting 
machines. 

Those not versed in computer security can miss the significance of e- voting 
security vulnerabilities. From a security standpoint, what distinguishes computerized 
voting systems from traditional systems is not that computers are easier to compromise, 
but that the consequences of compromise can be so much more severe. Breaking into an 
old-fashioned ballot box can affect a few hundred ballots at most; injecting a virus into a 
single computerized voting machine can affect an entire election. 

Intuitions developed with older technologies can mislead when applied to 


7 



82 


computerized systems. For example, non-experts often fail to appreciate how difficult it 
is to tell what is happening inside a computer system. We cannot “just look” to see what 
is happening or whether the right software is installed. Often our only recourse is to ask 
the system itself what it is doing - which is fine if the system is working correctly, but 
fruitless if the system is compromised. There is no point in asking a virus whether a 
virus is present. 

Similarly, non-experts often assume that pre-election testing is an effective way to 
trigger and detect malicious software that might have infected a voting machine. Here 
again, computerized systems are different. A modified lever machine will work the same 
whether or not it is Election Day; but malicious software on a DRE can check whether 
the machine is in pre-election testing mode, or can check the date, or can check whether 
the number and pattern of voters is consistent with election day, and can activate its vote- 
stealing capability only in a real election. Our demonstration AccuVote-TS virus takes 
measures to remain inactive and thus evade detection during pre-election logic and 
accuracy testing. It is very difficult to tell whether such a virus is present. In general, 
malicious software is much harder to detect than non-experts would expect. 

My point is not that these challenges are insurmountable but that one needs 
specialized knowledge and sophisticated analysis to figure out what is possible. 
Acknowledging that security experts can learn from election experts, I submit that 
election experts can also learn from security experts. 


Getting the details of voting right is difficult, especially in today’s high-tech 
polling place. But failure is not an option. The stakes are too high, and the risk of 



83 


malfunction or fraud too great, to make our current course tenable in the long run. We 
need to work harder and smarter, exploiting the knowledge of both election experts and 
technical experts. 


9 



84 


Biography of Edward W, Felten 

Edward W. Felten is Professor of Computer Science and Public Affairs, and Director of 
the Center for Information Technology Policy, at Princeton University. His research 
interests include computer security and privacy, Internet software, and information 
technology policy. He has published more than eighty papers in the research literature, 
and two books, and he is widely quoted in the press as an expert on security, privacy, and 
information technology policy. He has advised the U.S. Departments of Justice, Defense, 
and Homeland Security, and the Federal Trade Commission, on security-related issues. 
He serves on the Executive Committee of USACM, the U.S. public policy committee of 
ACM, the leading professional society for computer scientists. In 2003, Scientific 
American magazine named him to its list of fifty global leaders in science and 
technology. 


10 



85 


The Chairman. Our second witness is Gary Smith. Mr. Smith is 
the election director in Forsyth County, Georgia. Georgia uses a 
paperless DRE system statewide, and for those who don’t know 
what DRE stands for it is direct recording electronic computer. Ba- 
sically it is a type of computer we have displayed here. 

Mr. Smith uses a Diebold system that was the subject of the 
Princeton study. Mr. Smith also participated in the recount of the 
Cuyahoga County primary conducted on a DRE system with a 
paper audit trail. Mr. Smith, you are recognized. 

STATEMENT OF GARY SMITH, ELECTION DIRECTOR, FORSYTH 

COUNTY, GA 

Mr. Smith. Well, as was mentioned, my name is Gary Smith, I 
reside 

The Chairman. Is your microphone on? 

Mr. Smith. My name is Gary Smith and, as you mentioned, I am 
the election director for Eorsyth County, Georgia, a county just 
north of Atlanta. It is quite a fast-growing county. We have about 
80,000 registered voters and we are one of the top fastest-growing 
counties in the United States, so we have a lot of issues that we 
have to deal with all the time. 

One of the things I think that is important maybe is to look at 
what those of us as election directors — how we come about. I am 
actually appointed through a selection committee that comes about 
where a grand jury is brought forth, they pick a panel of people 
who have the background to be able to do this. It is then sent up 
to the chief superior court judge and then I am selected from that. 
I was selected from that process. 

I am in my second term as the director of elections. It is a term 
of 4 years, and it is a nonpartisan position. Prior to coming into 
this position I spent most of my time working in the private sector. 
I retired. I was running various companies, and I have worked 
most of my life in industrial automation. So I have a technical 
background. I have an undergraduate degree in electrical engineer- 
ing and I am a certified election registration administrator from a 
program administered by Auburn University. 

As a director of elections, one of the things that I have been priv- 
ileged to do is to sit on a task force, several of them. One has been 
from the Georgia task force, which allows me to be able to partici- 
pate and look at new processes and equipment that we apply to 
elections in our county and State. In addition to that, I served on 
a national task force for election reform for 2004 where we looked 
at all the processes across the country with regards to elections. In 
addition, I think you just mentioned I did lead the manual recount 
for the Cuyahoga County WPAT so I have some practical experi- 
ence with that and I was happy to be able to do that. I spent a 
week at it, as a matter of fact. 

We have implemented the DREs. The one that you are looking 
at right here, which is the Diebold-TS unit, my county and 158 
counties in Georgia implemented this during the general election 
of 2002. We have held, from what I heard was the last count, some- 
thing like 2,500 elections in our State. In addition to that I have 
held elections on special elections, primaries, general elections. 



86 


run-offs and just about any kind of election, and a municipal elec- 
tion as well. So, again, we have a lot of experience with them. 

One of the things that I think has been talked about a lot and 
I think we have to deal with is how do you look at the security and 
integrity of this kind of equipment. It starts, obviously, with the 
vendor who builds the equipment, goes through the independent 
testing laboratories that then look at it to make sure what we are 
receiving has the technical wherewithal to be able to provide us 
with a piece of equipment that really meets what our needs are. 
Thirdly, we have in our State, which I am very proud to talk about, 
the Center for Election Systems, a program administered by Ken- 
nesaw State University and Dr. Britt Williams, a well-known au- 
thority in elections. 

We do all of our creation of our ballot cards and that sort of thing 
through this group, and so it is another level of testing that we 
have that goes on. 

Lastly, it is up to those of us who are election directors to hold 
these elections, so I am tasked with a lot of the things that Mr. 
Felten has talked about, which is maintain the security and integ- 
rity of the process that goes on with elections. I guess we are where 
the rubber meets the road as much as anything. 

So that is our job. I am not going to go through all the details 
with regards to certification because it is certainly going to take a 
lot more than a few minutes, but it is in my paper and I hope that 
you will look at it. I think where we pick it up is where we pick 
up the memory cards, as Mr. Felten has mentioned, that come to 
us from the Center for Election Systems, the process of making 
sure that they come to us under the chain of custody manners, that 
we know that there is at least more than one person that has ac- 
cess to what we are talking about and they are looking at. 

We go through a process called logic and accuracy testing. This 
is when the process that he has talked about goes through the first 
part, where we are taking the memory cards, we are marrying 
them essentially to the voting machine, and then we are taking 
them through the testing process, at which time then we lock the 
machines up and we pass them on to the next level, which really 
is the election poll worker himself. 

And what I would like to do is to show you some of the chain- 
of-custody forms and I think they are in front of you too. If they 
are not, I am going to show you one actually that is going to be — 
okay. It is as good as it can get up there but I think most of you 
can probably see it. 

What I am pointing out in it — is it okay if I stand up? 

The Chairman. As long as you carry the microphone with you so 
all the people in the overflow room can hear you too. 

Mr. Smith. Can you hear me now? 

The Chairman. Yes. 

Mr. Smith. All right. I think what is critical about this, I think 
this is one of the things maybe that because we are doing it state- 
wide, we have an awful lot of good chances to be able to work the 
processes out. And I think Mr. Felten, one of the things he said is 
you need to have good chain of custody in these things. This actu- 
ally is for the precinct Big Creek. This is actually an actual form 
that we are using. It says here item number 1, custodian certifi- 



87 


cation form for the AccuVote-TS units that are going to he used. 
Under point number 2 what I have got here is the touch screen se- 
rial number, which has not got a number in here, 116827. 

Then across here what you are looking at is all of the tests that 
we take individually to run on the machines. This takes about 15 
minutes per machine to run. It is a process that is done under my 
direction, and we actually have done this for 500 machines for the 
upcoming election. 

The next point that is important to look at is there is a seal num- 
ber that is right here. That seal number, what I am going to show 
you is how it is carried forward to the process where when we are 
holding the election at the precinct, what happens with it. This ma- 
chine then is sealed up, it has a wire serial number on it. So there 
is no access to this machine once the logic and accuracy test is 
done. 

Now, the next form I am going to show you is right here. This 
is a form then that is carried forward to the precinct itself so that 
when the poll workers, poll manager and his assistant, this is their 
responsibility; this is a form that is signed in triplicate, one goes 
to the Secretary of State, one goes to me and one goes to the clerk 
of the superior court. You will notice again it is for precinct Big 
Creek 01. This is the recap sheet that goes with it. Here again is 
the serial number. If we had looked back before, we would find that 
that serial number is the same one as here. 

Here is the serial number that then shows up on — that is trans- 
ferred from the original L&amp;A testing. Now what happens with 
it is we open up the machines, we go through it, we do the count 
number, and then at the end of the election, because this is the 
recap sheet, the key part here is that there is another mechanical 
low-tech seal put on it. It is a wired seal so it is kept on there all 
the time. 

That is the process that we go through. I wanted you to be able 
to see that. 

The Chairman. I am going to have to ask you to wrap up be- 
cause we have a lot of witnesses and a lot of discussion. 

Mr. Smith. Okay. I am sorry. 

The Chairman. Is that it? 

Mr. Smith. The other part I wanted to talk about, and I think 
this has to do with the comments that Ms. Millender-McDonald 
said, is what is the confidence that people have in it. I would like 
to at least respond to that at another time, because we have done 
surveys in our county, too, which show that 99 percent of the peo- 
ple feel that the process is an excellent process. So there is a high 
level of confidence in our equipment. 

The Chairman. All right. We can defer that to the question pe- 
riod. 

Mr. Smith. Thank you very much. 

The Chairman. Thank you. 

[The statement of Mr. Smith follows:] 



88 


Testimony of Gary J. Smith 
Director of Elections 
Forsyth County, Georgia 

Before the Committee on House Administration hearing on 
Electronic Voting Machines: Verification, Security, and Paper Trails 
September 28, 2006 


Mr. Chairman: My name is Gary Smith and 1 have been the Director of Elections for 
Forsyth County Georgia for the past 4 Vi years. I am an appointed official and am 
selected by a Grand Jury with recommendations to the Senior Superior Court Judge. It is 
a non-partisan position. 

Prior to becoming Director of Elections, 1 served in many positions within the private 
sector with emphasis on industrial automation. My undergraduate degree is in electrical 
engineering from the University of Illinois and I am a Certified Election and Registration 
Administrator. 

As Director of Elections, I have also been privileged to serve on several committees that 
have given me an opportunity to see elections not only on a local and statewide basis, but 
from a national perspective as well. Within our State of Georgia, I am a current member 
of the Georgia Task Force for Elections-which reviews new processes and technology 
that will be implemented and I have held statewide offices for both our Georgia Election 
Officials as well as the Voter Registrars Association of Georgia. From a national 
perspective; I served on the National Task Force on Election Reform for 2004 and have 
hosted other statewide groups that have come to Georgia to view operational procedures 
with the use of Direct Recording Electronic (DRE) voting systems. In addition, I led the 
manual recount of the Cuyahoga County Ohio Primary Election for Election Science 
Institute. 

We implemented Diebold's AccuVote TS DREs in our county along with the other 158 
counties in Georgia during the General Election of 2002 and have experience in all types 
of elections i.e. Municipal, Special, Primary, General and Run-offs. We believe this 
experience allows us to speak with some authority on the process of elections held using 
DREs. 

During this period of elections, we have worked very closely with the Secretary of State’s 
office and our designated Center for Election Systems - Kennesaw State University 
(KSU). KSU has helped to develop the security features that we believe allow us to 
provide a safe and secure election. 


GJSmith 


Page 1 


09/27/06 



89 


Within the State of Georgia, the organizations involved in assuring system integrity are: 

• Election System Vendor -Diebold 

• Qualified Federal Testing Laboratory (ITA) 

• Kennesaw State University - Center for Election Systems 

• County Election Officials - i.e. Forsyth County Board of Elections 

What are the responsibilities of the individual organizations? 

Election System Vendor - Diebold 

• Designs and builds the Election System 

• Submits the Election System to the ITA to verify compliance with Federal 
Voting System Standards 

• Adheres to State level Certification tests 

• Completes Federal and State testing and receiving approval ships systems 
to the counties 

Qualified Federal Testing Laboratory - ITA 

• Reviews the System for compliance with the Federal Voting System 
Standards 

• Issues Certification Report on Complete System 

• Submits the Certified System to the KSU Center for Election Systems 
where State Certification tests are performed 

KSU Center for Election Systems 


• Reviews the System for compliance with State of Georgia Election Code 
and Rules 

• Tests the System for the presence of any unauthorized/fraudulent code 

• Develops a validation program used to test the System installed in the 
counties 

• Verifies that the System installed by the vendor in the county is identical 
to the system received from the ITA and certified by the KSU Center for 
Election Systems 

County Election Official - Forsyth County 

• We maintain, store and protect the System through the use of various 
chain of custody procedures and physical security features which include 


GJSmith 


Page! 


09/27/06 



90 


but are not limited to storage under security cameras, computer coded 
access, locked equipment storage, hardwired security tags, no access to the 
internet etc. 

• We use the System in accordance with Georgia Laws and Rules to conduct 
elections. 

Security is viewed in three different layers, all working together to maintain the 
system integrity. 

The first layer is software security, consisting of the normal elements of user ID’s, 
unique passwords, and audit trails of all activities performed on the systems. 

The second layer is procedural security. This includes the four levels of testing; 

o Certification Testing on the National Level 

■ These are nationally prescribed tests outlined by the FEC and are 
performed by Independent Testing Authorities that have been 
approved by National Association of State Election Directors 
(NASED). 

• The Independent Testing Authorities (ITAs) review the software 
and hardware to make sure the system meets the stringent 
guidelines for election equipment. 

• Part of the tests performed is an analysis of the election system’s 
source code to ensure that there is not fraudulent code embedded 
within the system. 

• Any voting system must pass these rigid and extensive tests before 
even being considered for any use in Georgia. 

• If any changes occur to the election system’s components, the 
system must be sent through qualification testing again. 

o Certification Testing on the State Level 

■ These tests are designed to ensure the election system performs the 
duties required by Georgia Law, Georgia’s State Election Board’s 
Rules and Regulations, and Rules of the Secretary of State. 

• Tests are performed on an exact copy of the system certified by the 
ITAs. The ITAs forward an exact copy of the national certified 
system to the State for testing. This ensures that the system tested 
by the State is identical to what was submitted to the ITAs by the 
election system manufacturer. This ensures that the Vendor does 
not make unknown changes to the certified system after national 
tests are completed and before state test begin. 

• The test performed by the State mirrors actual election conditions 
faced by election systems in real use. 

• To make sure the software running the election system is free of 
hidden or fraudulent code, the systems clocks are moved forward 
to an actual election date. Once the clocks have been changed the 


GJSmith 


Paged 


09/27/06 



91 


simulations are then run. The movement of the clocks is designed 
to uncover hidden code that only becomes active on election dates. 

■ The tests performed are carefully scripted and conducted under 
constant supervision. The State level tests are performed by the 
Center of Election Systems at Kennesaw State University and is 
overseen by Dr. Brit Williams; a member of the NASED technical 
board which approves IT As for service in the qualification testing 
on the national level. 

■ The system is put through stress tests to uncover the true capacity 
of the system and to ensure the system continues to record, store, 
and process data correctly even under extreme conditions. 

■ Once the system has cleared certification testing, an electronic 
signature is taken of the certified system. This electronic signature 
is then used to verify systems once they are installed in local 
county election offices. If a system is installed in a county and its 
signature does not match the signature of the certified system, then 

. that system cannot be used. In addition, this system check can be 
run at anytime, even during the election process if necessary. 

o Acceptance Testing 

• Performs physical and functional testing of each unit that has been 
purchased, repaired, or upgraded 

• Verifies the system installed by the Vendor matches the system 
certified for use in Georgia. 

• Tests the functionality of the entire system as well, to make sure 
the system continues to function as shown during the certification 
tests. 

o Logic and Accuracy Testing 

• Verifies again that the system is functioning in a manner consistent 
with certification test results. 

■ Election data to be used in an actual election is loaded to the voting 
system and the system is tested to ensure the choices entered by 
voters are recorded in the system as intended. 

■ Every voting machine to be used in an election must pass this 
process before it can be used in an election. 

■ This process is conducted in public view. 

• Records are kept by local election officials verifying that each 
machine has been tested and has been found to be functioning 
properly. 

• At the conclusion of this testing, the units are closed and sealed 
and are not opened again until the morning of the election. 

Access to the election equipment is tightly controlled, including 

documentation of who, what, when, and why access is granted. 


GJSmith 


Page 4 


09/27/06 



92 


Voters must proceed through a check-in process at the polls or the absentee 
precinct prior to being given access to the voting units. 

Voter access cards do not leave the confinements of the precincts during the 
voting period. This is assured by requiring each person leaving the polls to 
give up their access card at the exit station. 

All tests run prior to the opening of polls on the morning of an election are 
done in public view and are done by a team of poll workers. A single poll 
worker does not perform tests on the voting system without assistance from at 
least one other poll worker. 

Periodically through the voting day and at the close of polls, the numbered list 
of voters, voter’s certificates, and elector’s list are reconciled with the number 
of ballots recorded by the voting units. This is done to ensure the system has 
not recorded more votes than voters voting. All reconciliation sheets are 
signed in triplicate. 


Poll workers patrol the voting area throughout the day to ensure voters are not 
tampering with the voting system. By Georgia law, all voting booths must be 
in site of the poll workers. 



Typical setup for a precinct voting 


GJSmith 


Page 5 


09/27/06 


93 


Voting units are placed in a way that poll workers and the public can view the 
actions being taken in the voting booths without endangering the secrecy of 
the voter’s voted ballot. 

Multiple poll workers perform Poll closing procedures. A single poll worker 
does not perform closing procedures on the voting system (i.e., printing of 
tally tapes from voting units) without assistance from at least one other poll 
worker. 

All sensitive materials maintained in the polling precinct are kept in sealed 
containers i.e. the supervisor card used to close out the election. 

All compartments of the voting units are locked, with only the poll manager 
having access to the keys that unlock them. The comment from the Princeton 
report has changed the way that we will lock up our voting units after they are 
started up during the election - we are going to add on a security tape similar 
to that shown below, Although ours will have a digital seal and will be 
recorded for purposes of security. We think this is a positive action. 



Security Seal on DRE access to memory card 

A parallel monitoring test is performed for each statewide election with six 
counties being randomly selected. For each of these counties, a precinct is 
randomly selected. The actual ballot styles for this precinct are loaded on a 
voting unit at the Center for Election Systems. At Approximately 10:00 am 
on Election Day, a pre-defined script is voted on each of the six machines. 
Upon completion of the voting, the election on each machine is ended and a 
result tape is printed. The count on the result tape is compared to the script 
count for each race in that precinct. For at least one precinct, the actual 
ballots cast are printed and compared to script to verify that the votes are 
recorded properly. 


GJSmith 


Paged 


09/27/06 




94 


The second phase of the parallel monitoring test consists of randomly 
selecting at least three counties and a precinct for each county. On election 
night, the counties make copies of the result tapes for all of the voting units in 
the selected precinct and mail them to the Center for Election Systems. Once 
the certified results have sent to the State Elections Division, a copy of the CD 
for each of the three counties is obtained. The actual ballot images for at least 
two machines in each precinct are printed. The ballots are manually counted 
for the top two races. The manual count is compared to the count produced on 
election night on the result tapes for the selected units. 

The third level of security deals with physical security and includes the following: 
o Source code is escrowed 

If questions were to arise about the software in use, the escrowed source 
code could be used to verify whether or not the system in use had been 
tampered with or not. 

o Secure Storage of V^oting System and components 

• Voting units used to collect votes are stored in secure areas under 
the direction of each county election superintendent. Access is 
limited to employees of the county election office. 

• The election management system used to create the various ballots 
necessary for an election, and used to program the voting units for 
elections is stored on a dedicated computer that is not connected in 
any way to any other internal or external network. 

• Access to the computer is limited to county election officials, or 
their designees. 

• The dedicated computer storing election data contains software 
only approved by the Secretary of State. 

• When not in use, the voting units are stored in a protected area and 
the dedicated election management computer is locked. 

• All components of the voting system, when not in use, are stored in 
a secure location by the county election superintendent. 

• During an election, units are sealed prior to being delivered to 
precincts. These seals are recorded and monitored. 

• At the conclusion of an election, the removable memory from each 
unit is removed and placed in a sealed container and returned to the 
county election office for tabulation. 

• In addition, the voting units themselves with their internal backup 
memory are sealed and returned to the secured storage facility. 


Protecting System Integrity 

Three distinct functions are performed to protect the integrity of the System: 


GJSmith 


Page? 


09/27/06 



95 


Verify the System at Receipt (State Certification Test by KSU) 

• Using the System as delivered from the ITA, set up and conduct sample 
elections with known outcomes that are representative of Georgia general 
and primary elections. 

• Conduct high- volume tests to determine capacity limits of the System 

• Conduct tests to determine the System’s ability to recover from various 
types of errors 

Verify the System at Installation 

• KSU ensures that the System installed in the county is identical to the 
System received from the ITA and certified by the State 

• KSU prepares a validation program that will detect any changes to the 
System installed in our county 

• KSU runs the validation program against the System installed in our 
county (after vendor installation) 

Verify the System is Performing Properly (Forsvth County) 

• Logic and Accuracy Tests are performed prior to each election 

• Perfonnance of all System components is verified 

• Specific ballot information for each memory card in each precinct is 
verified 

• Touch screen units are set for election, locked and sealed with a hard 
wired numerical seal 

• Our server is always kept in a secured location behind three computed 
coded solid doors and a security camera 

• No extraneous software is installed on our server 

• There is no network connectivity 

• Physical access is limited to authorized personnel 

• Touch screen units are protected by layers of physical security prior to 
Logic and Accuracy and afterwards with digital access, security cameras 
and hardwired serial tags. 

• Touch screen units that are used for elections are secured and locked when 
not in use 

Validation Program (Hash Codes run by KSU during testing and on request 

• Based on NIST standards contained in FIPS 180-2, established in August 
2002 

• Run ‘Hash’ on the System certified by KSU’s Center for Election 
Systems. This creates File I . 


GJSmith 


Page 8 


09/27/06 



96 


• Run ‘hash-cmp’ to compare File 1 with a new ‘hash’ on the System in the 
County 

• They must be identical 


In the most recent report from Princeton University among their findings are issues that 
deal with the security of DRE systems. We believe that we have mitigated many of these 
problems through the use of the processes above. Specifically there would be problems if 
as the professors pointed out, that poll workers or others would have unsupervised access 
to the machines - in our county, poll workers and others do not have unsupervised access 
to a voting machine or memory card. It is not a practice in Forsyth County to allow any 
poll worker unsupervised access to the machines. 

The DREs in Forsyth County and Georgia are never networked together minimizing the 
risk of any spreading of viruses. In addition, KSU has provided us with “sanitized” 
memory cards to minimize the risks of obtaining a voting machine virus. All memory 
cards in Georgia were returned to KSU for the process and returned to us after they had 
been cleaned - this is another example of the lengths that we go to in insuring a virus free 
environment. 

Many “white papers” have been written both pro and con with respect to the use of DREs 
and especially with regard to the ones that have been implemented in Georgia. Our own 
Secretary of State - Cathy Cox has said that "Due to the buill-in redundancy, we know 
that, after more than 3.000 elections, not one vote has been lost due to any type of 
equipment malfunction. " 


Ultimately, it is about the confidence that people have in the voting process itself that is 
important. The first major study that was done by a public institution about the state of 
voting in Georgia was done by the University of Georgia’s Carl Vinson Institute of 
Government and is included below for your benefit. 

GEORGIANS FAVOR ELECTRONIC VOTING 

ATHENS, GA - Georgians overwhelmingly prefer electronic voting to other methods of 
voting, according to the most recent Peach State Poll. Seventy percent of the voting age 
public say they are more comfortable casting their respective ballots electronically on the 
touch screen machines than by punch cards (preferred by 8 percent) or by marking paper 
ballots (12 percent). Eighty-four percent of Georgians say that the touch screen voting 
machines are an improvement over using punch cards, and 82 percent say they are an 
improvement over paper ballots on which voters mark with a pen. 

In addition, poll respondents express a high level of support for a uniform voting system. 
The Peach State Poll, a quarterly survey of public opinion conducted by the University of 


GJSmith 


Page 9 


09/27/06 



97 


Georgia’s Carl Vinson Institute of Government, finds that 95 percent of the public 
believe that having a unifonn system is either very important (77 percent) or somewhat 
important (1 8 percent). Only 17 percent of Georgians believe that individual counties 
should be allowed to decide the method by which their constituents cast votes. 

Other Peach State Poll results; 

• A plurality of Georgians say that the greatest advantage of the new fiilly 
electronic voting system is that it is convenient to use (44 percent); 22 percent 
cited increased accuracy as the greatest advantage. 

• When asked what they believed to be the greatest problem with the new voting 
machines, a plurality (26 percent) said that there were no problems, and 19 
percent cited the likelihood that some people are not comfortable with new 
technology as the greatest problem. 

• Georgians with higher levels of education are more likely to believe that the new 
electronic voting system will increase the accuracy of Georgia’s elections. While 
56 percent of those with a high school education or less believe that the new 
system will improve the overall accuracy, 73 percent of those with postgraduate 
education believe it will. 

• While 70 percent of the public say they are most comfortable voting on touch 
screen machines as opposed to punch cards or other paper ballots, that percentage 
drops to 58 percent for Georgians over age 65. 

• Georgians who do not use automatic teller banking machines report being less 
comfortable and more skeptical of the electronic voting machines than are those 
who use ATMs. Still, a majority (55 percent) of those who do not use ATMs 
show more comfort with the electronic voting machines than with any of the 
alternatives. 

These data were taken from a Peach State Poll survey conducted between November 16 
and November 23, 2003. The poll included 807 telephone interviews of randomly 
selected adults in Georgia. For a sample of this size, the margin of error at the 95 percent 
confidence level is +/-3.5 percent. 


GJSmith 


Page 10 


09/27/06 



98 


The Carl Vinson Institute of Government, a public service and outreach unit of the 
University of Georgia, has as part of its mission to provide policymakers with systematic, 
objective research to inform policy decisions. In accordance with that mission, the Peach 
State Poll aims to give voice to the public on important policy matters and issues 
pertaining to political, social, and economic life in Georgia. 

For more information on this survey or other Peach State Poll results, see 
www.vinsoninstitute.org/peachpoll. 


Comfort level with various methods of voting by age 



GJSmith 


Page 1 1 


09/27/06 



99 


FORSYTH COUNTY VOTERS LIKE ELECTRONIC VOTING 


In our own way in Forsyth County, we have tried to track the issues and concerns that our 
voters have in order for them to have a better election day experience. To do this, we 
have a response card that is randomly handed out to voters in our precincts - it includes 
the following questions: 

• How was the service 

• How can we improve 

• Additional comments 

• Name/Address optional 

• Precinct # 

• Date 


We have analyzed the first 7 1 5 responses and they are attached for your benefit. Of the 
responses the following information is available: 



GJSmith 


Page 12 


09/27/06 




100 


The above response is an indication of the entire experience that our voters have had with 
the entire process of an election. You are able to see from their attached comments that 
they are very pleased with the process and only a few (less that 0.0002) of the voters have 
asked for a VVPAT. The voters have certainly expressed a lot of opinions and we 
routinely meet to be able to improve our operations. 

A significant amount of this positive experience goes to the excellent poll workers we 
have in our county. Poll workers in Forsyth County go through a selection process that 
includes a personal interview with me or my Outreach Coordinator. In addition, every 
poll worker is required to attend training prior to each and every election. The minimum 
period for a training session is three hours and includes both small classroom sessions 
and hands on portion. All poll workers will train together with their precinct so that they 
are all knowledgeable of the interaction that goes on during Election Day. We also 
grade our poll workers and provide additional training for those who do not meet minimal 
standards. 

In June, 1 was asked by Election Science Institute to lead the manual recount of the 
Cuyahoga County Primary Election of 2006. This study is well documented in the report 
written by ESI and reflects the problems associated with having a paper document 
VVPAT used as the legal ballot during an election. As it was pointed out by Princeton, a 
denial of service could easily be implemented when the legal ballot is the VVPAT. 
During our recount of the VVPAT, it was evident that the voters were not paying 
attention to the VVPAT as they would have certainly not continued to cast their ballots 
when the printed tape was either not indexing, was missing or blank - all of these issues 
were found to be in existence. 


GJ Smith 


Page 13 


09/27/06 



101 


1 have attached below photos of issues with the WPAT: 



It is my hope that the energy and talent expressed by the academics that have researched 
exhaustively the inter workings of the aforementioned DRE in their Princeton report 
could provide a solution that is easier to implement than the WPAT. Possibly, it could 
be along the lines of that suggested by election administrators in the National Task Force 
on Election Reform that is not limited to paper: 

“That guidelines be developed by the National Institute of Standards 
and Technology (NIST), through the EAC, for a scientifically 
sound, independently verifiable audit trail for direct record 
electronic (DRE) voting systems and that such guidelines not be 
restricted to contemporaneous paper replica but also include 
guidelines for electronic, audio, video or other media to provide 
verification of the integrity of recording and tabulating votes. 

22. That, for DRE voting systems, guidelines be developed by NIST, 
through the EAC, for the contemporaneous recording of each 
ballot record, on a secure medium, to provide a redundant record” 


While costs are not necessarily the overriding factor in purchasing or changing voting 
equipment they can not be ignored. Our voters in Forsyth County have invested almost an 
incremental $1,000,000 over the cost of the systems given to us by the State of Georgia in 
additional equipment and training over the past four years. We certainly can not be 


GJSmith 


Page 14 


09/27/06 




102 


expected to continue this type of investment or make changes, when the equipment still 
has at least 70% of its expected life cycle to be used. 

In conclusion, we believe that the voters in Forsyth County Georgia have spoken 
positively that they have a voting system that has provided them with the assurances that 
their votes are being counted and tallied correctly. 

Thank you for the opportunity to share my thoughts and experiences with you. 

Acknowledgements: I would like to thank Ray Cobb and the KSU Center for Election 
Systems for their assistance, technical help, information and feedback. Georgia is 
fortunate to have such an institution as our independent and capable entity responsible for 
testing and certification of election equipment. 

Attachments; Voter Responses Forsyth County Georgia 


GJSmith 


Page 15 


09/27/06 



103 


The Chairman. As a reminder to those, I should have mentioned 
it before, you have the little device in front of you with the lights 
on it. Green means go, yellow means sum up, red means you are 
in deep trouble. So please keep an eye on the clock. 

Next I am pleased to recognize Ms. Barbara Simons, past presi- 
dent of the Association for Computing Machinery, and she has done 
a lot of work on voting systems. Dr. Simons, you are recognized. 

STATEMENT OF BARBARA SIMONS, MEMBER, U.S. PUBLIC POL- 
ICY COMMITTEE, ASSOCIATION FOR COMPUTING MACHIN- 
ERY 

Ms. Simons. Good morning, Mr. Chairman, members of the com- 
mittee. On behalf of the computing professionals that constitute the 
Association for Computing Machinery I want to thank you for the 
opportunity to testify today about e-voting system security and the 
need for voter-verified paper trails. Secure, reliable, usable and ac- 
cessible voting systems are critical toward assuring transparent, 
fair and inclusive elections. These are not mutually exclusive goals. 
I shall discuss aspects of both security and accessibility this morn- 
ing. 

First, security. Because of the risks of software bugs, malicious 
code or computer failure, we cannot trust that the results in a 
paperless voting machine accurately reflect the will of the voters. 
That is why voter-verified paper ballots or audit trails (WPATs, as 
we refer to them) are needed. WPATs are automatically produced 
by an optical scan system, since the ballot is verified by the voter. 
Fortunately, 48 percent of counties have optical scan systems so 
they already have WPATs. 

Optical scans can be used together with tactile ballot sleeves or 
accessible marking devices for accessibility. Some DREs have been 
retrofitted to produce WPATs; in fact, all of them for use in Cali- 
fornia, as Congresswoman Lofgren said. 

Two years ago ACM, a leading computer society, issued a state- 
ment calling for well-engineered voting machines that allow every 
voter to verify his or her record has been accurately cast by the in- 
spection of a physical (e.g. paper) record. 

At its 2006 national convention, the League of Women Voters 
passed a resolution calling for voter-verified paper ballots or 
records to be used for audits and recounts. The League also urged 
that routine random audits be conducted in every election. 

Both the ACM statement and the League’s resolution can be 
found in my written testimony. 

In summary, as a defense against malicious or buggy software 
we must have: reliable, well-engineered WPATs, policies and pro- 
cedures that guarantee the integrity of the paper records; security 
storage and delivery of machines and so on, mandatory random 
manual audits of VVPATs; and a full manual recount if discrep- 
ancies are uncovered, unless there is evidence that the WPATs 
have been compromised. 

I will now discuss accessibility. 

People with disabilities should be able to vote privately and inde- 
pendently and be able to verify their votes. 



104 


HAVA does not require the DREs be used for accessibility. There 
is evidence that a number of people with disabilities are finding 
that DREs are not meeting their accessibility needs. 

Kelly Pierce, a nationally known advocate for the blind and vis- 
ually impaired, reviewed tactically discernable controls, spoken 
prompts, visual display, poll worker assistance, volume control and 
normalization, and ballot review for four voting machines. In his 
report for Cook County State Attorney’s Office, Pierce concluded 
that if any one of the four machines were to be deployed in Chicago 
or suburban Cook County, many voters with disabilities, particu- 
larly blind voters, would not be able to cast a ballot independently 
and privately. 

Blind computer scientist Noel Runyan discussed his frustration 
with his hour-long voting experience in the 2004 Presidential elec- 
tion, and I quote: It took me 30 minutes to work my way through 
the ballots and make my selection. After that I had quite a bit of 
trouble getting into the review mode to get a full list of all my se- 
lections. When I did, it went on and on for 23 minutes, like a long 
uncontrolled drink from a firehose. The review function read each 
item and then at the very end said my selection was for that item. 
It even threw in details of what the fiscal impact would be and 
took forever. 

“This is completely backwards.” 

He went on to say: “From the time I signed in and got my voter 
smart card, it took 8 minutes to reboot the audio voting machine; 
30 minutes to make my choices; 23 minutes to review and verify; 
and another 4 minutes to make a correction and record my vote. 
Not counting the hour waiting in line, it took me about 65 minutes 
to mark and record my ballot.” 

We do not have to settle for inaccessible voting systems. Old 
technologies such as text to audio devices, tactile ballot sleeves, 
and ballot market and generating systems could be combined with 
new technologies that make the entire voting and verification proc- 
ess accessible, while remaining auditable. 

Technology, if engineered and tested carefully and if deployed 
with safeguards against failure, can reduce error rate, provide 
more accessibility, increase accountability and strengthen our vot- 
ing system. However, the current state of e-voting technology 
leaves us far short of these goals. We need paper trails and manual 
audits to protect us against failures and attacks. We need addi- 
tional research to make voting machines more usable, secure and 
accessible. And we need to work together to achieve these goals. 
Thank you. 

The Chairman. Thank you very much. 

[The statement of Ms. Simons follows:] 



105 


Statement of Barbara Simons for the Committee on House Administration Hearing on 
Electronic Voting Machines 
September 28, 2006 

My name is Barbara Simons. 1 am retired from IBM, where 1 was a Research Staff 
Member at the IBM Almaden Research Center for many years. I have been working 
almost exclusively on voting technology issues since 2000, when I was a member of the 
National Workshop on Internet Voting. The workshop, convened at the request of 
President Clinton, produced a report in 2001 in which we strongly recommended against 
Internet Voting. I also participated on the Security Peer Review Group for the US 
Department of Defense’s Internet voting project (SERVE) and co-authored the report that 
led to the cancellation of SERVE because of security concerns. More recently I co- 
chaired the Association for Computing Machinery (ACM) study of statewide databases 
of registered voters. I am also co-authoring with Professor Doug Jones a book on voting 
machines to be published in 2007 by PoliPoint. 

1 was President of ACM from July 1998 until June 2000. ACM is the oldest and largest 
scientific and educational society of computer professionals, with approximately 80,000 
members. 1 founded ACM’s US Public Policy Committee (USACM) in 1993 and have 
served for many years as the Chair or co-Chair of USACM. 

We must make our elections more secure, reliable, accessible, and verifiable. 

We all want elections that are reliable, secure, accessible, and trusted by the public. 

Given known security risks, the possibility that software bugs could generate incorrect 
election results, or that computerized voting machines may fail during an election, we 
cannot trust that the results recorded in a paperless voting machine accurately reflect the 
will of the voters. Providing a voter verified paper trail is a significant step toward 
mitigating these risks, restoring transparency to the election, and ensuring the public’s 
trust. 

Because paperless Direct Recording Electronic (DRE) devices cannot be audited, many 
states have mandated that DREs produce a voter verified paper audit trail (VVPAT) or 
voter verified paper ballot (VVPB). We have seen that careful and well engineered 
implementation of this requirement is critical. Some of the most widely used DREs have 
retrofitted their machines by adding reel-to-reel thermal printers. Unfortunately, there 
have been a number of problems with these continuous roll printers, including jamming, 
privacy concerns, and difficulties conducting a manual count of the paper. 

There are high quality printers that are much more reliable, that produce easy to read text, 
and that could print VVPBs that are easy to count manually. Our voting systems should 
not depend on mediocre equipment. 

Precinct based optical scan voting systems also produce VVPBs, since by definition the 
optical scan ballot is verified by the voter when he or she marks the ballot. Accessible 



106 


optical scan ballots can be produced using tactile ballots or electronic ballot marking 
systems. Optica! scan ballots can be manually counted and used to audit elections. 

As a defense against malicious or buggy software, we must have: 
reliable, well engineered, accessible WPBs; 

- policies and procedures that guarantee the integrity of the paper, control of 
custody, legibility, etc.; and 

- routine mandated random manual audits of the WPBs that instill voter 
confidence and that verify the accuracy of elections. 

If the manual count does not match the count produced by an optical scan system or by a 
DRE, then all of the paper ballots must be manually counted in an open and transparent 
fashion. Unless there is evidence that the WPBs have been compromised, the paper 
ballots should be used to determine the election results. 

We can consider alternatives, such as cryptographic based systems, if and when voting 
technology is commercially available that is demonstrably secure, reliable, easy to use, 
accessible, believable, and understandable to the average voter. 

Most computer professionals oppose paperless voting machines. 

Computer scientists have been generally skeptical about computerized voting machines, 
because we know that they are not transparent. You cannot simply look inside a machine 
and clearly see if it is performing in a trustworthy manner. Computerized voting has a lot 
of advantages, but all computerized voting systems currently available carry risks. We 
recommend WPATs or WPBs not to eliminate fraud, but rather to increase the safety 
of voting systems and to allow for routine election audits. 

Two years ago ACM issued the following statement' calling for well engineered voting 
machines that provide every voter with tire ability to verify that his or her vote has been 
accurately cast by inspecting a physical (e.g, paper) record. 

ACM Statement on E-voting 

Virtually all voting systems in use today (punch-cards, lever machines, hand counted 
paper ballots, etc.) are subject to fraud and error, including electronic voting systems, 
which are not without their own risks and vulnerabilities. In particular, many electronic 
voting systems have been evaluated by independent, generally-recognized experts and 
have been found to be poorly designed: developed using inferior softA'are engineering 
processes; designed without (or with very limited) external audit capabilities; intended 
for operation without obvious protective measures; and deployed without rigorous, 
scientifically-designed testing. 

To protect the accuracy and impartiality of the electoral process, ACM recommends that 
all voting systems ~ particularly computer-based electronic voting systems - embody 
careful engineering, strong safeguards, and rigorous testing in both their design and 



107 


operation. In addition, voting systems should enable each voter to inspect a physical 
(e.g., paper) record to verify that his or her vote has been accurately cast and to serve as 
an independent check on the result produced and stored by the system. Making those 
records permanent (i.e., not based solely in computer memory) provides a means by 
which an accurate recount may be conducted. Ensuring the reliability, security, and 
verifiability of public elections is fundamental to a stable democracy. Convenience and 
speed of vote counting are no substitute for accuracy of results and trust in the process by 
the electorate. 

The League of Women Voters’ resolution on voting systems. 

In addition to the technical community, good government organizations have expressed 
concerns about the security of paperless voting machines. For example, at its 2006 
national convention the League of Women Voters passed a resolution on voting machines 
calling for a voter verified paper ballot or record that would be used for audits and 
recounts. The League also urged that routine random audits of these |iaper 
ballots/records be conducted in every election. Here is the resolution : 

Whereas: Some L WVs have had difficulty applying the SARA Resolution (Secure, 
Accurate, Recountable and Accessible) passed at the last Convention, and 
Whereas: Paperless electronic voting systems are not inherently secure, can 
malfunction, and do not provide a recountable audit trail. 

Therefore be it resolved that: 

The position on the Citizens ' Right to Vole be interpreted to affirm that LWVUS supports 
only voting systems that are designed so that: 

1. they employ a voter-verifiable paper ballot or other paper record, said paper being 
the official record of the voter 's intent; and 

2. the voter can verify, either by eye or with the aid of suitable devices for those who 
have impaired vision, that the paper ballot/record accurately reflects his or her intent; 
and 

3. such verification takes place while the voter is still in the process of voting; and 

4. the paper ballot/record is used for audits and recounts; and 

5. the vote totals can be verified by an independent hand count of the paper 
ballot/record; and 

6. routine audits of the paper ballot/record in randomly selected precincts can be 
conducted in every election, and the results published by the jurisdiction. 

Insecure storage and handling of voting machines. 

Professor Ed Felten, who is testifying today, recently released a very important study of 
iundamental security vulnerabilities of Diebold TS machines. The study illustrated how 
having physical access to one of the machines for even a minute was sufficient to allow a 
malicious individual to install fraudulent software. 



108 


There already has been a fair amount of press about the risks of voting machine “sleep- 
overs.” This practice involves having a poll worker take a machine home prior to the 
election and bringing it in on Election Day. Decentralizing the physical security of 
machines significantly increases the number of people with access to a machine before an 
election. But even if machines are not delivered to poll workers’ homes, there still can be 
significant security threats stemming from pre-election deliveries of machines, as I 
observed while sercdng as a Santa Clara County polling station inspector in the 
November 2004 election. 

The county delivered five paperless DREs to our polling station - a commons room in a 
Stanford University dorm ~ about a week before Election Day. When the woman who 
made the space available for the election arrived at work, she moved the machines from 
the insecure commons room into her office, where they remained under lock and key 
until the night before the election. 

My fellow poll workers and 1 set up the voting machines in the public commons room the 
night before the election so that the batteries could be fully charged. For the rest of the 
night the machines remained unattended. 

When initially delivered, the machines w'ere “protected” by two levels of numbered 
tamper evident tape. The first level was removed the night before the election, when we 
did the initial set-up. The second level was removed on Election Day. All of the 
removed tapes were included in the material that we returned to the county election 
officials. 

1 had no idea before the election as to what the tamper evident tape should look like, 
because 1 had never seen any. Even if I had been shown a tape, without additional 
training I doubt that my memory would have been adequate for me to know if a 
counterfeit tape had been used. 

Security risks of the procedures deployed by Santa Clara County'. 

There are multiple security risks, depending on the goal of the attacker. Here are a few: 

1 . Hacking the voting machine software without being detected. This could have 
been done either by someone who had access to the machines while in the 
commons room, or by someone who had access to the office where the machines 
were stored. To avoid detection with certainty, it would have been necessary to 
acquire identically numbered tamper evident tape, for example by ordering it on 
the Internet or obtaining it from an insider working for the county. 

2. Hacking the voting machine software and risking detection. Since we poll 
workers had never seen the tamper evident tape and had no idea of what the 
numbers on the pieces of tape should be, we would not have been able to 
determine that someone had hacked the software and replaced the original tapes 
with different tamper evident tapes. Such an attack might have been detected by 
election officials if they had reviewed the tapes that we returned. However, since 



109 


the election would have been over, it’s not clear what election officials would 
have done. Furthermore, if the attacker had acquired identical or nearly identical 
tape and used the numbers from the original tapes on the counterfeit tapes, it’s 
likely that even diligent election officials would not have detected the fraud. 

3. Targeting specific precincts to depress turnout favorable to one candidate (a 
denial of service attack). This would have been a very easy attack, since the 
machines were left in a publicly accessible location the night before the election. 
All the attacker had to do was to remove the second level of tamper evident tape, 
since poll workers had been instructed to request new voting machines if the 
tamper evident tapes had been removed. Since we were barely ready by opening 
time, bringing in new machines would have delayed the opening of the polling 
station by at least an hour or two. If there were a widespread attack that removed 
the tamper evident tape from machines in many voting places, it is highly likely 
that the county would have been incapable of replacing all of the suspect 
machines. 

Fortunately, there is a possible fix if tampering has been detected or there is a denial of 
service attack, namely emergency paper ballots. Every polling place should have a large 
supply of emergency paper ballots that can be used in emergency situations. 
Furthermore, a manual count should be made of the emergency paper ballots in all 
suspect polling places in addition to any manual counts that are done to satisfy a random 
manual audit. 

Voters with disabilities. 

While HAVA was passed in response to problems with the 2000 elections, much 
emphasis has been given to the HAVA requirement that voting be made accessible for 
people with disabilities. However, security and accessibility are not mutually exclusive 
goals. We can and should have secure accessible elections. 

I cannot stress enough that I strongly agree that people with disabilities should be able to 
vote privately and independently and that they should be able to verify their votes. I do 
not know a single computer security expert who opposes non-visual access for blind 
voters or access to the ballot by any person with a disability. 

It bears repeating that HAVA does not mandate the exclusive use of electronic voting 
machines to meet accessibility requirements. HAVA states accessibility can be met 
“. . .through the use of at least one direct recording electronic voting system or other 
voting system equipped for individuals with disabilities ...” [emphasis added].^ 

There is a growing body of evidence that people with disabilities - blind and visually 
Impaired voters, voters w'ho have limited mobility and dexterity, and people with other 
disabilities - are finding that DREs or touchscreens are not meeting their accessibility 
needs and are in fact preventing them from securing a private and independent ballot. 



110 


Aleda J. Devies, a retired systems engineer, and member of Handicapped Voters of 
Volusia County, made the following statements in her August 01, 2006 article, Touch 
Screens Are Not The Best Choice For Disabled Voters:'* 

A key point has been lost in the various arguments for and against touch-screen voting 
machines. The spirit and intent of the accessible voting law are to allow every disabled 
person the opportunity to cast his or her [sic] privately and independently. The key word 
in the preceding sentence is "every. ” It is not acceptable to accommodate some 
members of the disabled population and expect the rest of us to live with “business as 
usual. ” That is discrimination, which is not legal. 

Accommodating people with different disabilities requires great flexibility in a voting 
system. What works for and is preferred by certain members of the blind and visually 
impaired community does not accommodate people with mobility or motor impairments. 
That is one specific shortcoming with touch screen machines. People with limited use of 
their hands and arms may not be able to use the touch screen machines. People with 
spinal cord injuries or similar disorders may require binary devices such as such as “sip- 
and-puff". (Other binary devices include foot pedals, joysticks and gel pads.) 

Devies also observes that, “Touch screen machines with telephone-like keypads do not 
meet Section 508 of the Rehabilitation Act of 1973 requirement that keypads must be 
operable with one hand and shall not require tight grasping, pinching, or twisting of the 
wrist.” 

Kelly Pierce, a nationally-known advocate for people who are blind and visually 
impaired, reviewed four voting machines in his March 15, 2005 report for the Cook 
County State's Attorney’s Office, Accessibility Analysis of Four Proposed Voting 
Machines.^ 

Pierce analyzed tactilely discemable controls, spoken prompts, visual display, poll 
worker assistance, volume control and normalization, and ballot review. He found all 
four machines deficient in one or another of these areas. 

Pierce stated, “Unfortunately, if any one of the four machines were to be deployed in 
Chicago or suburban Cook County as exhibited on March 15, many voters with 
disabilities, particularly blind voters, would not be able to cast a ballot independently and 
privately”. 

In his conclusion, Pierce remarks, “This review and those conducted by the American 
Foundation for the Blind, Manhattan Borough President C, Virginia Fields with The 
Center for Independence of the Disabled in New York, and a blind computer scientist and 
electrical engineer all have found that while the electronic machines represent a 
significant advance in accessibility from the current poll worker assistance system they 
often fail to effectively communicate the voting process to audio voters or are physically 
designed in a way that does not meet the current consensus on accessible design as 



Ill 


crafted by the technology industry, the disability community, and leading national 
governmental institutions.'’ 

Pierce’s observations appear to have been bom out by the voting experience of Noel 
Runyan, a blind computer scientist. Runyan, who has worked in human factors for well 
over thirty-five years, started his own company to supply access technologies for the 
visually impaired. Quoting just a small portion of Runyan’s essay in frustration from his 
65 minute voting experience in the 2004 Presidential election;^ 

It took me 30 minutes to work my way through the ballots and make my selections. After 
that, I had quite a bit of trouble getting into the review mode, to get a full list of all my 
selections. When I did, it went on and on, for 23 minutes, like a long uncontrolled drink 
from a fire hose. The review function read each item, and then, at the very end, said what 
my selection was for that item. It even threw in the details of what the fiscal impact would 
be, and took forever. This is completely backwards. It should announce the name of the 
item, then state my selection, and then read the rest of the information for that item. Also, 
I should have the control to press the arrow key to move forward or backward through 
the items, without having to listen to all the text about an item. 

When I did find that I had made a mistake in my selections, I had to wait until the end of 
the whole review process to correct it, instead of being able to stop, make the change, 
and then continue with the review where I left off. 

I did not want to abort the ballot verification review, to make a correction, and then have 
to start the 23 minute review all over again. When I later attempted to change one of my 
selections from "no" to "yes", the machine would not let me just select "yes", until I had 
first gone to the "no" entry and deselected it. This was very awkward and confusing. My 
wife said that she also had the problem when she was voting visually on her DUE 
machine. 

Blind and disabled voters want and deserve secure voting systems. Natalie 'Wormeli, a 
lawyer who is completely blind, has manual dexterity issues, and uses a wheelchair’, is 
far more eloquent than I could ever hope to be in her in her 2004 testimony before the 
California State Senate Elections and Reapportionment Committee, ; 

/ deeply regret that I am unable to testify in person at today's hearing because of serious 
health problems. Please consider the following as my written testimony. lam writing this 
letter as a concerned California voter, an attorney, and a woman with multiple 
disabilities. For purposes of this letter, I am only representing myself, and I do not claim 
to speak for anyone else. 

I am particularly offended by the reoccurring claim that people with disabilities are 
disenfranchised. This is highly inflammatory rhetoric, ignoring the definition of 
enfranchisement, which is a person's right to vote. When I turned 18, 1 became 
enfranchised. Not having the ability to vote without another human being's assistance is 
the reality that I deal with, but does not make me disenfranchised. I rely on other people 



112 


to help me with tasks that I am not physically able to do, but I remain in control and 
independently thinking the entire time. When voting, lean choose to bring a friend, a 
family member, or ask one of the well-trained poll workers for assistance. 


Providing flawed DRE systems would erode trust among voters with disabilities as well 
as able-bodied voters in California and throughout the country. If Californians depend 
on flawed systems, and California has problems in November, the headlines throughout 
the country will undoubtedly reflect this horrible fact. 

Other disability rights advocates claim that decertification would be a step back, treating 
people with disabilities as second class citizens. I argue that requiring California voters 
to use dangerously flawed DREs will be forcing second rate technology on us all. 

I know that DRE system developers are working tirelessly to create dependable secure 
systems, and I am confident that one day I will be able to vote privately without 
assistance. However, I refuse to act as a complaining passenger in the backseat asking, 
are we there yet? 1 know I will be there soon enough, but I only want to arrive safely and 
with everyone on board. / know that when SB 1 723^ is passed, you will be heroes for all 
the citizens of California, especially voters with disabilities.'^ 

For many people with disabilities, using a VVPB presents no accessibility difficulties 
whatsoever and does not in any way prohibit private and independent voting. 

Fortunately, we do not have to settle for voter verified paper ballots that are not 
accessible to blind and visually impaired voters. It is not difficult to integrate audio 
capabilities into the design stage of voting systems. Tactile ballots and tactile voting 
systems allow blind voters to vote privately and independently and to verify their votes. 
New technologies can and should be developed. For example, hand held text-to-speech 
reading devices, such as the one recently announced by the National Federation of the 
Blind, might be modified for use in elections. 

It’s time for us to demand of our voting systems that, in addition to being accessible, they 
must be safe, accurate, reliable, secure, and audited. For now that means that we need 
voter verified paper ballots, routine random manual audits, improved policies and 
procedures, increased transparency, and a national mandate that voter verified paper 
ballots shall be the official ballots used and the final authority in all cases of recounts, 
challenges, random manual audits, equipment malfunction, and suspect polling places. 

As President Reagan said: Trust, but verify. 

It is part of our nature to rely on technology to improve our institutions. Voting and voter 
registration are no different. Technology, if engineered and tested carefully and if 
deployed with safeguards against failure, can reduce error rates, provide more 
accessibility, increase accountability, and strengthen our voting system. However, we 
have rushed to put technologies in place without careful regard as to how they must 
perform. We are now seeing questions raised about the security, reliability, accessibility, 
and usability of these machines. We can take immediate steps to address security 
concerns by ensuring that we have voter verified paper ballots and routine random 



113 


manual audits. Beyond this, the technical community and the election community need 
to work together to develop computerized voting and electronic registration systems that 
truly deserve the public’s trust. 

Appendix: Electronic Voter Registration Databases 

While beyond the scope of this hearing, we are seeing serious problems with statewide 
electronic voter registration databases. One of HAVA’s key provisions requires all states 
to have statewide electronic databases in place by the beginning of this year. Some states 
already had these systems in place; others were faced with difficult decisions on how to 
consolidate or synchronize disparate local databases into a statewide system. Like all 
technology, these systems are complex and require careful engineering so that they are 
accurate, private, secure, usable, and reliable. Otherwise, voters can be rejected at the 
polls and disenfranchised, or the systems could be exposed to fraud from unauthorized 
access. USACM released a study earlier this year' ' that provides 99 recommendations 
for state and local officials to follow when implementing electronic voter registration 
databases. 


' http://www.acm.org/usacm/lssues/EVoting.htm 
2 

http://www,lwv.org/AM/Template.cfTn?Section=Reports_from_Convention&Template=/ 

MembersOnly.cfin&ContentlD=5597 

^ http://www.fec.gov/hava/law_ext.txt 
4 

http://www.votetrustusa.org'index,php?option=com_content&task=view&id=1595&ltem 

id=26 

^ http://www.votersunite.org/info/KellyPierceRcport3-05.htm 

* Voting experience in November 2004 Election in Santa Clara County California — 
Using Sequoia Voting Machines, by Noel Runyan, 
http://www.votersunite.org/info/RunyanOnSequoia.htm 

’’ Wormeli’s description of herself given in testimony at the Meeting of the State of 
California Secretary of State Voting Systems and Procedures Panel, April 28, 2004, 
Sacramento, CA., http://www.ss.ca.gov/elections/vsptranscript0428.pdf 

* SB 1723, which would have required that all voting machines produce an Accessible 
Voter Verified Paper Audit Trail (AVVPAT) by some deadline. Later in 2004 SB 1438, 
which essentially prohibited the deployment of voting machines that did not produce an 
AVVPAT by 2006, became law. 

’ Testimony before the California State Senate Elections and Reapportionment 
Committee, by Natalie Wormeli, Esq., May 5, 2004. Wormeli’s complete written 
testimony can be found at http://ww'w.wheresthepaper.org/NatalieWormeli.htm or 
http://www.leagueissues.org/cdrom/disabled/Securitv.doc . 

The Kurzweil-National Federation of the Blind Reader: The Revolution Is Here!, by 
James Gashel, 

http://www.nfb.Org/lmages/nfb/Publications/bm/bm06/bm0607/bm060703.htm 



114 


" Statewide Databases of Registered Voters: Study of Accuracy, Privacy, Usability, 
Security, and Reliability Issues, February, 2006, www.acm.org/usacm/vrd . 



115 


The Chairman. Next we turn to Mr. Keith Cunningham who is 
the election director in Allen County, Ohio. He serves on the board 
of advisors to the Election Assistance Commission and also partici- 
pated in the Cuyahoga County recount study performed by the 
Election Science Institute. 

Mr. Cunningham, you are recognized. 

STATEMENT OF KEITH CUNNINGHAM, ELECTION DIRECTOR, 
ALLEN COUNTY, OH 

Mr. Cunningham. Thank you, Mr. Chairman, and let me say 
what an honor it is for a guy from a small town in Ohio to be sit- 
ting here before you today in this tremendous forum. 

I am also the immediate past president of the Ohio Association 
of Election Officials, and I want to say to you before I begin, when 
I wake up in the morning and head for my job I am feeling pretty 
good about it. I believe the job that I am involved in, which is an 
elections director, has meaning and has merit and is doing things 
to make our country and our community better. 

One thing I think we all agree on is that electronic voting needs 
some type of verification system, some component that allows it to 
be audited. And of course all systems need that, but as my prede- 
cessors have said, a hard ballot system is rather obvious how we 
audit those. Personally I do not have any particular aversion to 
voter-verified paper audit trails. 

However, in Ohio the system is that the voter-verified paper 
audit trail becomes the official ballot of record for recount purposes. 
I must say to you, clearly I am adamantly opposed, based on the 
experience I have had in Cuyahoga County, to that. I believe that 
program is setting election officials up for failure at this point in 
time. 

If the VAH’AT was to be extended to voters as a courtesy by 
which to check their votes, I have no problems with that. I think 
statistics indicate voters don’t even use it when it is available to 
them. The studies on hand show that maybe less than 10 percent 
of the people actually utilize that. 

We looked at approximately 350 WPAT tapes in Cuyahoga 
County, and over and over and over we encountered tapes that 
were missing, that were in some way compromised. You have the 
numbers before you, so I won’t bore you with the statistics, but I 
think two of them are very important for you to remember. Nearly 
17 percent of the WPAT tapes reviewed by that team — and that 
team consisted of a lot of Ohio election officials that came in to 
help participate — nearly 17 percent of those tapes showed a vote 
discrepancy of one to five votes from the electronic machine, and 
nearly 10 percent of those tapes were either destroyed, blank, miss- 
ing, taped together, or in some other way compromised. 

My point is this: that when you use the WPAT at this point in 
time as the official record of a recount vote, it actually serves to 
disenfranchise the voter because votes are lost in the VVPAT proc- 
ess. They are simply not there and cannot be retrieved. We could 
have retrieved those votes by other means from those machines, 
but in Ohio we are not allowed to because the recount official ballot 
of record in a recount becomes the WPAT. 



116 


So I would submit to you that it was the paper that actually 
caused the count to be in question. Additionally, and we have some 
photographs here I would like to show you, there is no reliable 
technology for which to recount WPATs. To ESFs credit they had 
a makeshift kind of crank thing that you could put the tapes in and 
reel them up. These things are sort of like wrestling octopuses. 

As you can see — let’s go to the next one, the next one. These are 
some of my friends. 

This is just kind of the scene. There you can see the machine. 
I will tell you what I equate this to. We are pretty agricultural in 
my part of Ohio. I equate this to planting several hundred acres 
of wheat with a million-dollar planting machine and harvesting it 
by hand like the Amish used to, and stacking it up in the fields. 

This was mind-numbing, to say the least. Now keep in mind we 
went through 300-some tapes. There were probably near 4,000 
tapes in Cuyahoga County. This took us two 10-hour days, actually 
21^2 because the first half day was upsetting the system. 

Continue, please. 

This is simply a tape with no record printed on it. Continue 
again, please. 

Same thing. This is the information that we are looking through 
on the tapes trying to — and, remember, at least this is Ohio’s rule, 
that when you recount a race, you can’t recount any other race. 
You can only recount the race that is going to be recounted. So if 
you have got 27 candidates on the ballot, you have got to reel 
through all 27 to get to the race, maybe a down ballot race. 

This is an example of one that is taped together that has obvi- 
ously been in the machine, it accordioned in the machine. I don’t 
know, that black line probably represents 20 or 30 votes. There 
was no way to reconcile that. There is another torn tape, another 
shot of the crude machine we were using to do this. 

I think they speak for themselves. I honestly don’t have any rea- 
son to believe DREs don’t record votes accurately but I understand 
the concerns and I do believe that we should have some kind of 
audit system for it. I would say to you, considering the size and 
scope of the deployment of voting machines in the last 12 to 24 
months in America, I think election officials have done a pretty 
darn good job. We are working on improving it. 

Unfortunately, I believe — and I will wrap up here in just a sec- 
ond — I believe it is the environment which is slowing our pace of 
improvement. As a local election official I am going to tell you, I 
feel like I am in a cross-fire, and I know many of my colleagues 
do; and that cross-fire is a very, very polluted conversation, and it 
is being polluted with political interests, corporate interests and 
scientific one-upmanship. And I often wish I had as many people 
helping me find the solutions as I did identifying the problems. It 
would make my job an awful lot easier. 

I want to echo the remarks earlier, that I do believe we should 
continue to fund HAVA. I think the underfunding of HAVA sends 
a very inconsistent message to those of us out there trying to do 
this on a daily basis. I would say to you also, please allow us to 
finish what has been started and what is in motion before we begin 
to tinker with this. We have been given a set of tasks that are 
very, very hard to manage. And, again, in the scope of the deploy- 



117 


ment that has taken place in this country, I don’t want to say there 
weren’t prohlems in it, but I think my colleagues have done a very 
good job and I would hope that in the future when we do begin to 
debate and speak about this, we can do it in on honest and direct 
terms, without misrepresentations, half truths, and focus on what 
it is we need to do to cure these problems and make America’s elec- 
tions — give people confidence in them. I think it is too far to — too 
much to expect any less than that. 

Thank you for your time. I appreciate it. 

The Chairman. Thank you. 

[The statement of Mr. Cunningham follows:] 



118 



VOTER VERIFIED PAPER AUDIT TRAILS 


Testimony of 


Keith A. Cunningham 

Director 

Allen County Board of Elections 
Lima, Ohio 


U.S. HOUSE OF REPRESENTATIVES 

COMMITTEE ON HOUSE ADMINISTRATION 
Vernon J. Ehlers, Chairman 

September 28, 2006 


WASHINGTON, DC 



119 


Chairman Ehlers and members of the Committee on House Administration it is an honor to come before you. 
Thank you for allowing me to share my thoughts. My name is Keith Cunningham, and I currently serv e as 
Director of the Allen County Board of Elections in Ohio. In addition to my current duties, I am the immediate 
past president of the Ohio Association of Election Officials and a member of the EAC Advisory Board. 

One thing I think we all agree on is Electronic Voting Machines or DRE’s must possess some sort of 
meaningful and accurate audit component if they are to be seriously considered part of our voting future. Of 
course all balloting systems must have components which allow for vote verification. However, the means by 
which we can verify hard ballot systems such as optical scan are obvious so I will confine my comments today 
strictly to DRE's. 

Personally I do not have any particular aversion to Voter Verified Paper Audit Trails, How'ever, I am adamantly 
opposed to any program such as Ohio’s, which makes a VVPAT the official ballot of record for recount 
purposes. To consider the VVPAT a courtesy extended to the voter as a means by which to check their vote is 
a reasonable proposition, even though current data docs not indicate voters utilize such tools when available. 

The thought that VVAPT’s are reliable enough to be used as an official ballot for recount purposes is simply 
wrong in my opinion. I witnessed this first hand when 1 participated in the ESI audit of approximately 350 
VVPAT tapes from the 2006 Primary Election in Cuyahoga County Ohio. Time and time again during this 
exercise the counting teams encountered VVPA'I’S. the voted paper ballot produced by DRE’s, which were 
either missing entirely or missing votes because of printer errors. The ESI study concluded: 

1 5% of the VVPAT’s reviewed required a secondary count. 

1 .4% of the VVPAT cartridges exhibited missing ballots. 

16.9% of VVPAT tapes showed a discrepancy of 1-5 votes. 

2. 1 % showed a discrepancy of over 25 votes. 

9.66% of the tapes were either destroyed, blank, missing, taped together or otherwise compromised. 


2 



120 


WPAT DISCREPANCY 

ESI Study of Cuyahoga County Primary Election 2006 



Secondary Count Missing Ballots Missing 1-5 Votes Missing 25+ Votes Compromised 

Cause of Discrepancy 


My point in all of this is that the PAPER requirement on the DRE caused discrepancies in vote totals; 


• Because the paper record was the “official” vote it now disenfranchised voters because their 
votes are lost to the process even though we could faithfully retrieve them from the electronic 
record. 

• The paper caused the count to be in question because there weren’t enough of the paper records 
to match the actual voter’s votes due simply to the fact these paper systems are not ready for real 
time use. 

• Failures of equipment caused by the paper requirements complicated the process for poll workers 
and VOTERS alike. 

Additionally, there is no technologically reliable means by which to count VVPAT’s. Several manufacturers 
indicate they have them in production but I have never witnessed one in successful operation and I don’t know 
anyone who has. Thus, the methods currently employed to recount VVPAT’s are makeshift at best. 


3 



121 


AUDIT of V VP AT 

Election Science Institute Audit of WPAT 
Cuyahoga County Ohio 2006 Primary Election 




4 







122 


One of the obvious reasons for this is VVPAT was an afterthought in electronic voting. Most State VVPAT 
regulations were promulgated after local boards had made the decision to purchase DRE’s. In some cases 
xpensive computerized voting systems have simply been retrofitted with cheap printers with nothing more than 
a hope their results can be matched. The fact is, the printer technology currently being utilized for VVPAT 
printing is woefiilly inadequate. Without significant and probably expensive improvement in this technology 
the goal of matching a VVPAT to its’ electronic counterpart most likely will not be achieved. 

I have no reason to believe that DRE’s do not record votes accurately other than theories that some sort of 
manipulation could occur and I have absolutely no knowledge of that actually happening. That is not to say we 
should rely on them absent of some sort of auditing standards. However, I am convinced the VVPAT is not 
that standard. 

In considering the overall issue of machine security we must remember that the parallel goals of access and 
•ecurity are actually opposite goals in most traditional applications. Usually when we want to secure something 
we limit access. In contrast when something is accessible, the accepted norm is that security is going to be 
somewhat sacrificed. Considering the antithetical nature of these two goals I believe the election administrators 
across America are doing “a pretty darn good job.” Can it be improved? Yes. Is it being improved? 
Absolutely! 

I believe it is the environment, which is slowing the pace of improvement. Today, Election Officials find 
themselves in crossfire. That crossfire is a polluted conversation about what is really happening. The 
conversation is being polluted by political interests, corporate interests and scientific one-up-man-ship. It is a 
dialogue where fiction becomes fact and myth becomes legend. In Ohio for instance, no one even bothered to 
consider that the exit polls could be wrong! 


5 



123 


“Discrepancies between early exit poll results and popular vote tallies in several 
states may be due to a variety of factors and do not constitute prima facie evidence 
for fraud in the current election” 

INTf-iRM REPORT ON ALLEDGED IRREGULARITIES IN THE UNITED STATES PRESIDENTIAL ELECTION OF 2 NOVEMBER 2004 I 

THE NATIONAL RESEARCH COMMISSION ON ELECTIONS AND VOTING I 
A PROJECT OF THE SOCIAL SCIENCE INSTITUTE I 
22 December 2006 | 


Ladies and Gentlemen, we need your help. HAVA needs to be completely flinded immediately so what has 
been initiated can be completed. Universal, realistic standards must come forth sooner than later so that we are 
all speaking the same language. And when we speak, we must pledge to purge our conversation of 
misrepresentations and half-truths and focus ourselves on honest debate about the future of our elections in 
America, it is far too important to expect less. 


Again, thank you for the opportunity to share these thoughts with you. 


6 





124 


Keith A. Cunningham c e r a 


204 N. Main Street 
Lima, Ohio 

Phone (419) 223-3530 


Professional Allen County Ohio 

experience Director, Board of Elections 1998-present 


Additional 

professional 

experiences 


City of Lima, Ohio 

Member, Lima City Council 1987-1991 
President, Lima City Council 1992-1998 


Martin Printing Company, Lima, Ohio 

Owner, Managing Partner 


Professional 

memberships 


Ohio Association of Election Officials 

President - 2005 
Member, Board of T rustees 
The Election Center 
C.E.R.A. Program Graduate 


Professional Ohio Secretary of State 

appointments Election Systems Study Committee (2000) 

Voter File Update Committee (2001) 

Ohio Association of Election Officials 

Education Committee (2003-2004) 

Board of Trustees 
President - 2005 


The Election Center 

National Election Rcfonn Task Force 

United States Election Assistance Commission 

Advisory Board 


7 



125 


The Chairman. We hear your cry for help; namely, leave us 
alone, let us do it. I also want you to know that you are not the 
only one who has crowds of people yelling at him for a solution and 
offering no assistance. We experience that every day of the week. 
So you have our sympathy. 

Next, I am pleased to introduce, James Dickson, Vice President 
of Government Affairs for the American Association of People with 
Disabilities. He has been a very strong advocate throughout this 
process of making certain that anyone with disabilities is permitted 
to vote and has the sanctity of the secret ballot which is essential 
to all of us and essential to democracy. 

Mr. Dickson, you are recognized. 

STATEMENT OF JAMES DICKSON, VICE PRESIDENT OF GOV- 
ERNMENT AFFAIRS, AMERICAN ASSOCIATION OF PEOPLE 

WITH DISABILITIES 

Mr. Dickson. Thank you. Chairman Ehlers, members of the com- 
mittee. I have two disabilities: I am blind and I am blunt. In these 
5 minutes I am going to summarize some of the points of my writ- 
ten testimony. First I want to thank the Members of Congress who 
passed the Help America Vote Act. I voted secretly and independ- 
ently for the first time 2 years ago; for the second time just a 
month ago. I cannot put into words the glorious feeling and the 
pride that I had as an American, and I am speaking for tens of mil- 
lions of other Americans who have now the first opportunity to vote 
privately and independently. 

I have got a few stories to tell about the problems that I faced 
and which millions of other voters face when not being able to vote 
privately or independently. These happened to me, but literally 
there are millions of stories like it. The very first time I voted, the 
poll worker said to me, loud enough for everybody in the polling 
place to hear: You want to vote for who? 

On another occasion I had a poll worker say to me: We are very 
busy; nobody votes for state legislators and these other races, so 
how about if we finish now? 

On another occasion I had a poll worker say to me: These 
referenda today are really confusing, most people don’t vote on 
them, so why don’t we stop now? 

On yet another occasion I had a poll worker say to me: This print 
on the referenda is too small, I can’t read it to you, so can we be 
finished? That particular excuse did not get much sympathy from 
me. 

Touch screens are the best existing product we have that offers 
accessibility to the greatest number of people. I participated in the 
earlier work that was referenced, by Kelly Pierce. The rest of the 
story is that after those initial tests, the company was able to inex- 
pensively and quickly make changes to the access procedures so 
that the problems were eliminated. 

Touch screens — access is a continuum and we need to have 
equipment designed so that as access increases it can be cheaply, 
efficiently, and quickly installed on the equipment. Touch screens 
are the only product available now that meets those requirements. 
At AAPD we absolutely want secure, accurate, recountable elec- 



126 


tions that are systems that are accessible. The paper trail is not 
accessible. 

This is a California ballot. Try recounting. I will leave for the 
committee — this is the roll that was not able to be counted in Ohio. 
Paper trail is a Rube Goldberg contraption. It doesn’t work, it is 
not accessible, you can’t recount it. It doesn’t even offer verification. 
Not only do people not look at the verification, in the tests done 
at the MIT where the computers were set up so that votes were 
changed, MIT students didn’t find the changed vote when they 
looked at the verification on paper. When the verification was done 
by audio, listening through earphones, they found the changed 
votes. 

I want to sum up with the following three points. Things have 
to be accessible. Thank you for making that stand in HAVA. The 
paper trail does not even do what the proponents want, and the 
proponents are a very small group who speak very loudly. There 
have been, over and over again, public opinion polls. When voters 
use touch screens they trust them 80 percent; 80 percent when 
they use them. We shouldn’t let a loud vocal minority using fear 
determine what is going to happen in the sanctity of the polling 
place. 

The last point I want to make, and it is very, very important, is 
the real problems in our voting system are human factors, are 
human errors. And before we order something to be done in the 
polling place, we need money to research and document what the 
problems are and we need to test proposed solutions in the reality 
of the polling place, not in a laboratory. Put me in an empty room 
with a ballot box full of paper, and I will hack into it in less than 
60 seconds. 

Thank you again. This discussion is very important. And I would 
just ask you to remember that 80 percent of Americans who vote 
on touch screens believe their vote is secure and accurate. 

The Chairman. Thank you, Mr. Dickson. Appreciate your com- 
ments. 

Thank you, Mr. Dickson, and we appreciate your comments 
about showing why it was so worthwhile for us to insist that all 
individuals be able to cast their ballot in secret. So thank you. 

Next I am pleased to introduce Michael Shamos. He is a pro- 
fessor at Carnegie Mellon University and is also the director of the 
Institute for Software Research. Dr. Shamos, you are recognized. 

STATEMENT OF MICHAEL I. SHAMOS, PROFESSOR, INSTITUTE 

FOR SOFTWARE RESEARCH DIRECTOR, CARNEGIE MELLON 

UNIVERSITY 

Mr. Shamos. Thank you, Mr. Chairman. I just want to make a 
small correction to the record. I am not the director of the Institute 
for Software Research, I am just a member of the Institute for Soft- 
ware Research. But I am also an attorney admitted to practice in 
Pennsylvania and before the United States Patent Trademark Of- 
fice. Since 1980 I have been an examiner of electronic voting sys- 
tems for various States. I am currently an examiner for Pennsyl- 
vania and I have personally performed 118 voting systems exami- 
nations. I am going to do my 119th examination next week. 



127 


I recall that, Mr. Chairman, you are a physicist. Representative 
Holt is a physicist. I am a former physicist. My proposal is we set- 
tle this issue like physicists, based on scientific evidence and not 
on emotion. 

I view electronic voting as primarily an engineering problem that 
includes the design of processes and procedures. Once the require- 
ments for a voting system are agreed upon, it is then a matter of 
developing and manufacturing the equipment processes that meet 
these requirements. The question is whether Congress should be 
setting technical performance guidelines and engineering stand- 
ards, as H.R. 550 would have it do, or whether such guidelines 
should be left to this and the EAC, as HAVA has already provided. 

The proposed bill is based on three major assumptions, all of 
which are false. First, it assumes that paper records are somehow 
more secure than electronic ones, a proposition that has been re- 
peatedly shown to be wrong throughout history. Second, it assumes 
that voting machines without voter-verified paper trails are 
unauditable because they are claimed to be paperless, which is also 
false; they are neither paperless nor unauditable. Third, it assumes 
that paper trails actually solve the problems exhibited by DRE ma- 
chines, which is likewise incorrect. 

The reason that mechanical voting machines were introduced 
over a century ago was to stop rampant fraud involving paper bal- 
lots. H.R. 550 would restore us to the year 1890 when anyone who 
wanted to tamper with an election needed to do no more than to 
manipulate pieces of paper. The recent example in Cleveland, Ohio, 
Cuyahoga County, is extremely instructive. That was the case we 
just heard, that 10 percent of the paper trails could not be read. 
H.R. 550 provides that in the event of any inconsistency between 
electronic and paper records, the paper records are irrebuttably 
presumed to be correct. Attorneys like myself are always wary of 
irrebuttable presumptions. Applying that provision to Cleveland 
would have resulted in the disenfranchisement of 10 percent of the 
electorate because their paper records could not be read. 

I cannot believe that the numerous sponsors of this legislation 
contemplated such an outcome. I did a review of the U.S. elections 
starting in the year 1824 when the popular vote began to be kept. 
I looked at the percentage of times that you took 10 percent of the 
popular vote and subtracted it from the winner and gave it to the 
loser, how often would the outcome change; and the answer is, 
since 1854, 55 percent of our Presidential elections would have 
been reversed if you couldn’t count 10 percent of the paper trail. 

The argument is made that security problems with DRE voting 
demand remediation of the type proposed in the bill. Indeed Pro- 
fessor Felten at Princeton, Harri Hursti, and others have done a 
great service by exposing security vulnerabilities in voting systems. 
Some of these vulnerabilities are severe and require immediate re- 
pair, but the point is that they are easily remedied. 

The question for the committee is what the proper response to 
such discoveries ought to be. When tainted spinach was found in 
California, Congress did not ban the eating or distribution of leafy 
vegetables, even though at least one human life had been lost. The 
appropriate reaction to the discovery of a security flaw in a voting 



128 


system is to repair it, not to outlaw an entire category of voting 
machines with which we have a quarter-century of experience. 

It is claimed that observed reliability problems with DRE ma- 
chines will be alleviated by adding a paper trail. Field experience 
has shown the opposite. The failure rate of paper-trail DREs is 
double that of DREs without paper trails. It should be obvious that 
adding a new device with moving mechanical parts to an existing 
electronic machine cannot improve its reliability. 

The effect of H.R. 550 would be to ban electronic voting entirely 
in Federal elections. I want to repeat that. It would be to ban elec- 
tronic voting entirely in Federal elections. The reason is that the 
bill sets forth conditions that are not met by any DRE system cur- 
rently on the market in the United States. If it were to pass in its 
present form there could be no more electronic voting in this coun- 
try, and Congress would be in the position, after spending $3 bil- 
lion on new voting equipment, of spending billions more paying for 
what it just paid for. I cannot believe that the numerous sponsors 
of this legislation contemplated such on outcome. 

Further, the bill as written mandates a system that would vio- 
late constitutional and statutory provisions in more than half the 
States. The secret ballot is regarded as an essential component of 
American democracy. Each one of the DRE paper-trail systems that 
are currently on the market either enables voters to sell their votes 
or allows the government and the public to discover precisely how 
each voter in a jurisdiction has voted. I cannot believe that the nu- 
merous sponsors of this legislation contemplated that outcome ei- 
ther. 

I am in favor of voter verification. The proposed bill, despite in- 
corporating the phrase “voter verified” into its title, does not come 
close to providing real voter verification. While it shows the voter 
that her choices were properly understood and recorded by the ma- 
chine, it offers no assurance whatsoever that her ballot was count- 
ed, that it ever will be counted, or it will even be present in the 
event a recount is demanded. Once the polls have closed, the voter 
not only has no recourse or remedy, but is powerless to even deter- 
mine whether her vote is part of the final tally or object, if she be- 
lieves it isn’t. That is not voter verification, regardless how it may 
be denominated in the text of the bill. 

I submit that if Congress desires to enact a comprehensive stat- 
ute mandating voter verification, it ought to verify whether the 
proposed legislation actually accomplishes that goal. Numerous ef- 
fective verification methods are known that are not based on vul- 
nerable paper records. These have not yet been implemented in 
viable commercial systems. I understand that scientists at NIST 
will soon announce another one. 

If H.R. 550 is enacted there would be no point in continuing re- 
search and development on any such system, since the statute 
would prohibit any system that didn’t use paper records. 

Professor Ronald Rivest of MIT has recently invented a voting 
method that allows each voter to verify, after the election is over, 
that her vote has actually been counted, a feature that is absent 
from the systems contemplated by H.R. 550. Professor Rivest’s sys- 
tem also allows any member of the public to tabulate the results 



129 


of the election for herself, so it is not even necessary to trust the 
official count. 

These discoveries demonstrate that voter verification is now a 
ripe area of scientific research and it is far too early to mandate 
by statute a bad nonsolution to a presumed problem. 

My purpose here today is not simply to complain about the bill 
but to offer a constructive alternative. As part of my written testi- 
mony, I have included a complete markup for the proposed legisla- 
tion that retains its essential positive feature such as voter 
verification but eliminates its ill-advised provisions. I urge the com- 
mittee not to report the bill favorably in its present form, and I 
thank you for the opportunity to be here today. 

The Chairman. Thank you for your testimony. 

[The statement of Mr. Shamos follows:] 



130 


Testimony of Michael I. Shamos 

Before the U.S. House of Representatives’ Committee on House Administration 

September 28, 2006 

Mr. Chairman: My name is Michael Shamos. I have been a faculty member in 
the School of Computer Science at Carnegie Mellon University in Pittsburgh since 1975, 

I am also an attorney admitted to practice in Pennsylvania and before the United States 
Patent and Trademark Office. Since 1980 1 have been an examiner of electronic voting 
systems for various states. 1 am currently an examiner for Pennsylvania and have 
personally performed 1 1 8 voting system examinations. I will do my 119*'' next week. 

1 view electronic voting as primarily an engineering problem that includes 
designing processes and procedures. Once the requirements for a voting system are 
agreed upon, it is then a matter of developing and manufacturing equipment and 
processes that meet those requirements. The question is whether Congress should be 
setting technical perfonnance guidelines and engineering standards, as H.R, 550 would 
have it do, or whether such guidelines should be left to NIST and the EAC, as HAVA has 
already provided. 

The proposed bill is based on three major assumptions, all of which are false. 

First, it assumes that paper records are more secure than electronic ones, a proposition 
that has repeatedly been shown to be wrong throughout history. Second, it assumes that 
voting machines without voter-verified paper trails are unauditable because they are 
claimed to be “paperless,” which is also false. They are neither paperless nor unauditable. 
Third, it assumes that paper trails actually solve the problems exhibited by DRE 
machines, which is likewise incorrect. 

The reason that mechanical voting machines were introduced over a century ago 
was to stop rampant fraud involving paper ballots. H.R. 550 would restore us to the year 
1 890, when anyone who wanted to tamper with an election needed to do no more than 
manipulate pieces of paper. The very idea that a paper record is secure at all continues to 
be refuted in every election. A recent example is the May 2006 primary held in 
Cleveland, Ohio. That state has a VVPAT requirement. When the paper records from 
the election were examined by an independent study group commissioned by Cuyahoga 
County, ten percent of the paper records were found to be illegible, defaced or entirely 
missing. 

H.R. 550 provides that in the event of any inconsistency between electronic and 
paper records, the paper records are irrebuttably presumed to be correct. Applying that 
provision to Cleveland would have resulted in the disenfranchisement of 10 percent of 
the electorate because their paper records could not be read. I cannot believe that the 
numerous sponsors of this legislation contemplated such an outcome. 

The argument is made that security problems with DRE voting demand 
remediation of the type proposed in the bill. Indeed, Prof. Felten at Princeton, Harri 
Hursti and others have done a great service by exposing security vulnerabilities in voting 
systems. Some of these vulnerabilities are severe, and require immediate repair. But the 
point is that they are easily remedied. The question for the Committee is what the proper 
response to such discoveries ought to be. When tainted spinach was found in California, 
Congress did not ban the eating or distribution of leafy vegetables, even though least one 
human life had already been lost. The appropriate reaction to the discovery of a security 


1 



131 


flaw is to repair it, not to outlaw an entire category of voting machine with which we 
have a quarter-century of experience. 

It is claimed that observed reliability problems with DRE machines would be 
alleviated by adding a paper trail. Field experience has shown the opposite. The failure 
rate of paper trail DREs is double that of DREs without paper trails. It should be obvious 
that adding a new device with moving mechanical parts to an existing electronic machine 
cannot improve its reliability. 

The effect of H.R. 550 would be to ban electronic voting entirely in Federal 
elections. The reason is that the bill sets forth conditions that are not met by any DRE 
system currently on the market in the United States. If it were to pass in its present form, 
there could be no more electronic voting in this country and Congress would be in the 
position, after spending $3 billion on new voting equipment, of spending billions more to 
replace what it just paid for. 1 cannot believe that the numerous sponsors of this 
legislation contemplated such an outcome. 

Further, the bill as written mandates a system that would violate constitutional 
and statutory provisions in more than half of the states. The secret ballot is regarded as 
an essential component of American democracy. Each one of the DRE paper trail 
systems that are currently on the market either enables voters to sell their votes, or aliow's 
the government and the public to discover precisely how each voter in a jurisdiction has 
voted. 1 cannot believe that the numerous sponsors of this legislation contemplated such 
an outcome. 

1 am in favor of voter verification. The proposed bill, despite incorporating the 
phrase “voter-verified” into its title, does not come close to providing real voter 
verification. While it shows the voter that her choices were properly understood and 
recorded by the machine, it offers no assurance whatsoever that her ballot was counted, 
that it will ever be counted, or that it will even be present when a recount is conducted. 
Once the polls have closed, the voter not only has no recourse or remedy, but is 
powerless to even determine whether her vote is part of the final tally or to object if she 
believes it isn't. That is not voter verification, regardless how it may be denominated in 
the text of the bill. 1 submit that if the Congress desires to enact a comprehensive statute 
mandating voter verification, which 1 favor, it ought to verify whether the proposed 
legislation actually accomplishes that goal. 

Numerous effective verification methods are known that are not based on 
vulnerable paper records. These have not yet been implemented in viable commercial 
systems. I understand that scientists at NIST w'ill soon announce another one. If H.R. 
550 is enacted, there w'ould be no point in continuing research and development on such 
better methods, since the statute would prohibit the use of any system not based on paper. 

Prof Ronald Rivest of MIT has recently invented a voting method that allows 
each voter to verify, after the election is over, that her vote has actually been counted, a 
feature that is absent from the systems contemplated by H.R. 550. Prof Rivest’s system 
also allows any member of the public to tabulate the results of the election for herself, so 
it is not even necessary to trust the official count. These discoveries demonstrate that 
voter verification is now a ripe area of scientific research, and it is far too early to 
mandate by statute a bad non-solution to the presumed problem. 

My purpose here today is not simply to complain about the bill, but to offer a 
constructive alternative. As part of my written testimony 1 have included a complete 
markup of the proposed legislation that retains its essential positive features, such as 


2 



132 


voter verification, but eliminates its ill-advised provisions. 1 urge the Committee not to 
report the bill favorably in its present form. 

I thank you for the opportunity to testify here today. 


Biography of Michael 1 . Shatnos 

Michael I. Shamos is Distinguished Career Professor in the Institute for Software 
Research of the School of Computer Science at Carnegie Mellon University, where he 
directs graduate programs in eBusiness. He has been associated with Carnegie Mellon 
since 1975. He is Editor-in-Chief of the Journal of Privacy Technology. 

Dr. Shamos received an A.B. in Physics from Princeton University, an M.A. in 
Physics from Vassar College, M.S. degrees from American University in Technology of 
Management and Yale University in Computers Science, the M.Phil. and Ph.D. in 
Computer Science from Yale University and a J.D. from Duquesne University. He is a 
member of the bar of Pennsylvania and the United States Patent and Trademark Office. 

From 1980-2000 and from 2004-present he has been statutory examiner of 
computerized voting systems for the Secretary of the Commonwealth of Pennsylvania. 
From 1987-2000 he was the Designee of the Attorney General of Texas for electronic 
voting certification. He has conducted more than 1 1 5 voting system examinations. In 
2004 he designed and taught a course on electronic voting at Carnegie Mellon University. 
In 2006 he taught a course on voting system testing for the National Institute f Standards 
and Technology. 

Dr. Shamos has been an expert witness in five recent lawsuits involving electronic 
voting, including Wexler v, Lepore in Florida, Schade v. State Board of Elections in 
Maryland and Taylor v. Onorato in Pennsylvania. He was the author in 1993 of 
“Electronic Voting — Evaluating the Threat” and in 2004 of “Paper v. Electronic Voting 
Records — An Assessment,” both of which were presented at the ACM Conference on 
Computers, Freedom & Privacy. He has provided testimony on electronic voting to the 
Pennsylvania legislature and to three committee of the U.S, House of Representatives. 

Further information is available at http://euro.ecom.cmu.edu/shamos.html. 


3 



133 


Markup of H.R. 550 by Michael I. Shamos, Sept. 29, 2006 

[Notes: Following is a summary of the chief benefits of the bill: 

• It establishes a requirement for voter verification in elections for Federal office. 
Because states will not invest in multiple systems in the same polling locations, 
the practical effect is to require verification in all public elections. 

• It mandates public disclosure of voting system source code. 

• It bans w'ireless components in voting systems. 

• It provides for mandatory audits of the voter-verified records. 

The bill suffers from serious deficiencies however, of which these are the most important: 

• It mandates paper, the least secure form of record, as the mechanism of 
verification. 

• It provides that the paper record would be the official record of the vote, even if 
the paper record is illegible, missing or obviously tampered with or defaced. This 
provision alone would have resulted in the disenfranchisement of 10% of the 
voters in Cleveland, Ohio in the 2006 primary. 

• It imposes a set of technical requirements not currently met by any commercially 
available DRE system in the United States. Therefore, its sub rosa effect is to ban 
electronic voting entirely, 

• It goes too far in requiring disclosure of source code not owned or controlled by 
voting system vendors, such as operating system code. 

• It does not protect the disabled within the original spirit of HAVA. 

• It does not go sufficiently far in requiring adherence to Federal voting system 
guidelines, which are presently voluntary but should be made mandatory. 

• It vests audit responsibility in the EAC, which is not equipped for such an activity. 
Recounting 2% of the popular vote of the U.S. by hand w'ill require 5000 people 
for a week, which is beyond the capacity of the EAC to administer. 

• It attempts in a patchwork manner to prohibit certain conflicts of interest, but does 
not do so comprehensively. 

• It establishes a private right of action under HAVA, which the courts have 
determined was not the original intent of Congress, which established an 
administrative complaint procedure. It will result, as has already been seen, in a 
flurry of frivolous lawsuits by plaintiffs seeking to outlaw electronic voting. 

The markup 1 have provided retains the benefits while eliminating the deficiencies. 
Explanatory notes in brackets are provided throughout. .Material that has been struck 
through thus is meant to be deleted. [Italicized material in brackets is to be added.] 

Analysis: The apparent motivation for H.R. 550 is the erroneous assumption that DRE 
machines without paper trails are unauditable. They are fully auditable if the audit 
mechanism is tested and found to be working. All DRE machines have the capability of 
producing an audit trail of complete ballot images. Once it is determined that the audit 


4 



134 


mechanism has not been compromised and is not defective, voting can proceed with the 
assurance that the audit trail can be used in the event of any claim of irregularity. 

Even if it is believed that electronic records are subject to tampering, all the evidence is 
that paper records do not even begin to approach the level of security of redundant, 
encrypted electronic records maintained on separate physical media. The bill rests on the 
incorrect assumption that physical ballot security can be maintained in a highly 
distributed election environment open to all citizens. That is not a solved problem, and 
there is evidence in every election cycle of lost or mutilated paper records. As recently as 
May 2006 in Cuyahoga County, Ohio, 10% of the paper records maintained in the 
election were illegible, tampered with or missing entirely. 

Nevertheless, voter verification is an important goal because of its positive effect on voter 
confidence. The VVPAT is a first crude attempt to provide verifiability. Unfortunately, 
it does so at the expense of security, secrecy, usability and reliability. It is much too early 
in the development cycle of verifiable systems to mandate a particular solution by statute, 
thus extinguishing any reason to continue research and development.] 


SECTION 1. SHORT TITLE. 

This Act may be cited as the “Voter Confidence and Increased 
Accessibility Act of 2005”. 

SEC. 2. PROMOTING ACCURACY, INTEGRITY, AND SECURITY THROUGH VOTER- 
VERIFIED PERMANENT RECORD OR HARD COPY. 

Voter Verification and Audit Capacity. — 

(1) In general. — Section 301(a)(2) of the Help America Vote Act of 
2002 (42 U.S.C. 15481(a)(2)) is amended to read as follows: 

“(2) Voter-verification and audit capacity. — 

“(A) In general. — 

“(i) The voting system shall produce or require the use of an 
individual voter verified pape^record of the voter’s vote that shall be 
made available for inspection and verification by the voter before the 
voter’s vote is cast. For purposes of this clause, examples of such a 
record include a paper ballot prepared by the voter for the purpose of 
being read by an optical scanner, a paper ballot prepared by the voter 
to be mailed to an election official (whether from a domestic or 
overseas location), a paper ballot created through the use of a 
ballot marking device, or a paper print-out of the voter’s vote 
produced by a touch screen or other electronic voting machine, so 
long as in each case the record permits the voter to verify the record 
in accordance with this subparagraph. 

"(ii) The voting system shall provide the voter with an opportunity to 
correct any error made by the system in the voter-verified p ap e r 


5 



135 


record before the permanent voter-verified paper^record is preserved 
in accordance with subparagraph (B)(i). 

“(iii) The voting system shall not preserve the voter-verifiable pape r 
records in any manner that makes it possible to associate a voter with 
the record of the voter’s vote. 



[Notes: The above edits preserve the requirement of voter verifiability but removing the 
word “paper" from “voter- verified paper record” allows non-paper methods of 
verification. Mandating paper as a requirement removes any incentive for development 
of alternative methods. There would be no reason for a vendor to develop a system 
superior to paper if paper were mandatory. 

Experience with paper trails in the field has not been good. In the 2006 Primary in 
Cuyahoga County, Ohio, 1 5% of the paper records were found to be illegible, defaced or 
missing altogether. See “Cuyahoga Election Review Panel, Cuyahoga County, OH Final 
Report {July 20, 2006), available at 

httD://www.cuvahogacountv.us/BOCC/OSC/pdf/elections/CERP Final Report 2006072 
O.pdf Furthermore, the percentage of DREs with paper trails that fail on Election Day is 
approximately double that of DREs without paper trails. 

The requirement in (iii) that the voting system not preserve the paper records in any way 
that permits associating a voter with a ballot is not met by any VVPAT DRE system 
currently available in the United States. Sequential paper trails, such as Diebold, Sequoia, 
ES&S and Hart, permit reconstruction of each voter’s vote from the poll list and are 
completely unacceptable. The cut-sheet systems, such as Avante, print identifying 
numbers on the ballot which the voter may record, and thus prove later which ballot is his 
ow'n.] 

“(B) Manual audit capacity. — 

“(i) The permanent voter-verified papei^record produced in 
accordance with subparagraph (A) shall be preserved — 

“(I) in the case of votes cast at the polling place on the date of the 
election, within the polling place in the manner or method in which all 
other pap e r ballots are preserved within such polling place; 

“(11) in the case of votes cast at the polling place prior to the date of 
the election or cast by mail, in a manner which is consistent with the 
manner employed by the Jurisdiction for preserving such ballots in 
general: or 


6 



136 


“(III) in the absence of either such manner or method, in a manner 
which is consistent with the manner employed by the jurisdiction for 
preserving papef-ballots in general. 

“(ii) Each p aper record produced pursuant to subparagraph (A) shall 
be suitable for a manual audit equivalent to that of a paper ballot 
voting system. 



the individual permanent voter-verified records and any other 
electronic records, upon due investigation of the cause of such 
inconsistency, the records for each ballot determined by such 
investigation to be the more reliable shall be the true and correct of 
the votes cast] 

“(iv) The individual permanent paper-records produced pursuant to 
subparagraph (A) shall be the true and correct record of the votes 
cast and shall be used as the official records for purposes of any 
recount or audit conducted with respect to any election for Federal 
office in which the voting system is used/) unless other records are 
determined under the procedure of subparagraph B(iii) to be the true 
and correct records], 

[Notes: it defies logic to declare that a paper record should be irrebuttably presumed to be 
correct even if there is convincing evidence to the contrary. In the Cuyahoga County 
situation, for example, liter application of the proposed language would have eliminated 
10% of the vote in the county because the paper records could not be located or read. 

The revision provides for an investigation in the event of a discrepancy, the results of 
which are to be used to determine which record are reliable. 

It is a universal defect of document ballot systems (those in which the official ballot is a 
piece of paper) that only one original of the ballot exists. Therefore, if anyone defaces, 
replaces or destroys that ballot, the vote is lost.] 


“(C) Special rule for votes cast by absent military and overseas 
VOTERS. — In the case of votes cast by absent uniformed services 
voters and overseas voters under the Uniformed and Overseas 
Citizens Absentee Voting Act, the ballots cast by such voters shall 
serve as the permanent pape r record under subparagraph (A) in 
accordance with protocols established by the Commission in 
consultation with the Secretary of Defense which preserve the privacy 
of the voter and are consistent with the requirements of such Act.”. 


7 



137 


(2) Conforming AMENDMENT. — Section 301(a)(1) of such Act (42 
U.S.C. 15481(a)(1)) is amended — 

(A) in subparagraph (A)(i), by striking “counted” and inserting 
“counted, in accordance with paragraphs (2) and (3)”; 

(B) in subparagraph (A)(ii), by striking “counted” and inserting 
“counted, in accordance with paragraphs (2) and (3)”; and (C) in 
subparagraph (B)(ii), by striking “counted” and inserting “counted, in 
accordance with paragraphs (2) and (3)”. 

(b) Accessibility and Voter Verification of Results for Individuals 
With Disabilities. — 

(1) In general. — Section 301(a)(3)(B) of such Act (42 U.S.C. 
15481(a)(3)(B)) is amended to read as follows: 

“(B)(i) satisfy the requirement of subparagraph (A) through the use of 
at least one direct recording electronic voting system or other voting 
system equipped for individuals with disabilities at each polling place; 
and 

“(ii) meet the requirements of paragraph (2)(A) by using a system 
that — 



“(II) allows the voter to verify and cast the permanent record on paper 
or on another individualized, permanent medium privately and 
independently, and 

“(III) ensures that the entire process of voter verification and vote 
casting is accessible to the voter.”. 

[Notes: the term “vote generation" has no meaning. Votes are not generated. The term 
“physically separates" is ambiguous. In any event, a technical requirement such as this 
belongs in the EAC Voting System Guidelines. If the rejoinder is that the Guidelines are 
not mandatory then they can be made mandatory for Federal elections.] 

(2) Specific requirement of study, testing, and development of 

ACC ESSIBLE VOTER VERIFICATION MECHANISMS. — 

(A) Study AND reporting.— Subtitle C of title II of such Act (42 U.S.C. 
15381 et seq.) is amended — 

(i) by redesignating section 247 as section 248; and (ii) by inserting 
after section 246 the following new section: 

“SEC. 247. STUDY A.ND REPORT ON ACCESSIBL C^VOTER VERIFICATION MECHANISMS. 

“The Commission shall study, test, and develop [effective verification 
mechanisms and] best practices to enhance the [effectiveness and] 
accessibility of voter-verification mechanisms for individuals with 


8 


138 


disabilities and for voters whose primary language is not English, 
including best practices for the mechanisms themselves and the 
processes through which the mechanisms are used.” 

[Notes: this subsection has been generalized to provide for the development of more and 
better verification mechanisms, not just improvements in accessibility.] 


(B) Clerical amendment. — The table of contents of such Act is 
amended — 

(i) by redesignating the item relating to section 247 as relating to 
section 248; and 

(ii) by inserting after the item relating to section 246 the following new 
item: 


“Sec. 247. Study and report on accessible voter verification mechanisms.”. 

(c) Additional Voting System Requirements. — 

(1 ) Requirements described. — Section 301(a) of such Act (42 U.S.C. 
15481(a)) is amended by adding at the end the following new 
paragraphs: 

‘‘(7) Instruction of election officials. — 

Each State shall ensure that all election officials are instructed on the 
right of any individual who requires assistance to vote by reason of 
blindness, other disability, or inability to read or write to be given 
assistance by a person chosen by that individual under section 208 of 
the Voting Rights Act of 1965. 

“(8) Prohibition of use of undisclosed software in voting systems. — 
No voting system shall at any time contain or use any undisclosed 
software/) subject to the exception in (i) below]. Any voting system 
containing or using software shall disclose the [specifications, 
designs, manuals and all other documentation^ source code, object 
code, and [any] executable representation of that software to the 
Commission, and the Commission shall make that- sourc e cod e . 


‘ disclosed materials] 
available for inspection upon request to any person. 

[“(i) Exception for commercial off-the-shelf software. — 

A voting system may use commercial off-the-shelf software (COTS) 
and the disclosure in subparagraph (8) shall not be required, provided 
that (1) no party involved in the design, programming, manufacture or 
sale of the voting system had any role in designing, programming, 
manufacturing or selling the COTS; and (2) the COTS was duly 
examined and certified pursuant to subparagraph (10) below. If the 
COTS has been modified in any manner, including configuration, 


9 



139 


since its manufacture, then the disclosure of subparagraph (8) shall 
be required as to all such modifications.] 

[This is a very significant issue, and the bill goes both too far and not far enough to 
provide for disclosure. Voting-specific code produced by vendors should be publicly 
disclosed. However, it is impractical to require disclosure of COTS source code, such as 
that of the Windows operating system. The revision here exempts “true” COTS, that is, 
COTS that has not been modified or configured by the system vendor. True COTS is 
exempt from disclosure only if it has passed testing by a certified laboratory. 

The revision also requires disclosure of documentation and related materials along with 
code.] 

“(9) Prohibition of use of wireless communications devices in voting 
SYSTEMS. — No voting system shall contain, use, or be accessible by 
any wireless, power-line, or concealed communication device at all. 
[This prohibition against wireless devices shall not apply to infrared 
interfaces, provided that no such interface is accessible externally to 
the voting system.] 

[Notes; technical requirements such as these belong in the Voting System Guidelines, not 
the statute. Congress is not well-positioned to keep technical requirements up to date, or 
even to know which ones are advisable. The anti-wireless provision is an example of a 
hasty and overreaching restriction. Radio frequency wireless should be banned because 
of the risk of interception or interference with the signals. However, there is no reason to 
ban short-range (e.g., 1 cm) infrared, where the infrared components cannot be accessed 
from outside the device.] 

[The Help America Vote Act of 2002 (42 U.S.C. 15301) is amended 
by deleting the word “voluntary" in each occurrence of the term 
“voluntary voting system guidelines.] 

“(10) Certification of software and hardware. — All software and 
hardware used in any electronic voting system shall be certified by 
laboratories accredited by the Commission as meeting [applicable 
voting system guidelines adopted as provided in section 222 and as 
meeting] Xhe requirements of paragraphs (8) and (9). 


[Notes: It's time to make the voting system guidelines mandatory. Otherwise there is no 
assurance that voters throughout the country will be voting on systems of comparable 
levels of quality.] 

“(11) Segurity-standaros [Conflict of interest prohibition] for 
voting systems used in federal elections. — 


10 



140 


“(A) In general. — No voting system may be used in an election for 
Federal office unless the manufacturer of such system and the 
election officials using such system meet the applicable requirements 
described in subparagraph (B). 

“(B) Requirements DESCRIBED. — The requirements described in this 
subparagraph are as follows; 


ch ai n of custody for th e h a nd li ng of softw a r e us e d i n conn e ct i o n- w i t b 



r e gard i ng th e i d e nt i f i c a t i on of ea ch ind i v i du al who particip a t e d in th e 

wh e th e r th e i nd i v i du a l h a s e v e r b ee n conv i ct e d of a cr i m e involv i ng 


“(iii) In the same manner and to the same extent described in 
paragraph (8), the manufacturer shall provide the codes used in any 
software used in connection with the voting system to the 
Commission and may not alter such codes once the election officials 
have certified the system unless such system is recertified by such 
election officials. 

“(iv) The manufacturer shall meet standards established by the 
Commission to prevent the existence or appearance of any conflict of 
interest with respect to candidates for public office and political 



[Note: There are considerable difficulties with the above section (11). It is impractical 
and too narrow at the same time. Its title is incorrect since it has nothing to do with 
security. The notion of the “manufacturer' is not well-defined, as software is often 
written by one company under contract to a system vendor and it is unclear who the 
“manufacturer” is in such a circumstance. The term “election officials” is not defined in 
the statute. Most circumstances under which it is used are harmless, but this one is not. 
It may make sense for the chief election officer of a state to promulgate regulations for 
the handling of software and documenting the handling, but the provision is (B)(i) is too 
indefinite as to who actually has the responsibility. 

The concern that programmers might have convictions for election fraud is legitimate, 
but surely election fraud is not the only crime that ought to be considered. (Bribery of a 
public official springs to mind as another.) Employers, however, often do not have 


11 


141 


accurate information concerning their employees’ pasts. The only practical way to obtain 
such information is through background checks. 

In the end, the voter-verified ballot, combined with mandatory certification guidelines 
and disclosure of source code, ought to protect against even a detennined criminal 
working for a vendor. The prohibition against officers and directors of manufacturers 
participating m campaigns is unnecessary for the same reason. It would also prohibit 
such a person from running for public office, which is the right of a citizen to do.] 

“(12) Prohibiting connection of system or transmission of system 
INFORMATION OVER THE INTERNET. — No Component of any voting device 
upon which votes are cast shall be/, or have ever been,] connected to 
the Internet.”. 


[It is not enough to forbid connecting a device to the Internet - we must be sure it has not 
been connected at any time in the past, since it might have become infected with malware 
at such a time.] 


(2) Requiring laboratories to meet standards prohibiting conflicts 

OF INTEREST AS CONDITION OF ACCREDITATION FOR TESTING OF VOTING 
SYSTEM HARDWARE AND SOFTWARE.— 

(A) In GENERAL.— Section 231(b) of such Act (42 U.S.C. 15371(b)) is 
amended by adding at the end the following new paragraph: 

“(3) Prohibiting CONFLICTS OF interest; ensuring availability of 

RESULTS.— 

“(A) In GENERAL. — A laboratory may not be accredited by the 
Commission for purposes of this section unless — 

“(i) the laboratory meets the standards applicable to the 
manufacturers of voting systems under section 301(a)(1 1 )(B)(iv), 
together with such standards as the Commission may establish to 
prevent the existence or appearance of any conflict of interest in the 
testing, certification, decertification, and recertification carried out by 
the laboratory under this section, including standards to ensure that 
the laboratory does not have a financial interest in the manufacture, 
sale, and distribution of voting system hardware and software, and is 
sufficiently independent from other persons with such an interest; and 
“(ii) the laboratory, upon completion of any testing, certification, 
decertification, and recertification carried out under this section, 
discloses the results to the Commission. 

“(B) Availability OF RESULTS. — Upon receipt of information under 
subparagraph (A)(ii), the Commission shall make the information 
available to election officials and the public.”. 


12 



142 


(B) Deadline for establishment of standards. — The Election 
Assistance Commission shall establish the standards described in 
section 231 (b)(3) of the Help America Vote Act of 2002 (as added by 

after funds have been made available to the Commission to develop 
such standards]. 


[Notes; the revision ensures that the Commission will not be required to perform without 
funding.] 

(d) Availability of Additional Funding to Enable States to Meet 
Costs of Revised Requirements. — 

(1 ) Extension of requirements payments for meeting revised 
requirements. — Section 257(a) of the Help America Vote Act of 2002 
(42 U.S.C. 15407(a)) is amended by adding at the end the folloviting 
new paragraph: 

“(4) For fiscal year 2 00 Q[2008], $150,000,000, except that any funds 
provided under the authorization made by this paragraph may be 
used by a State only to meet the requirements of title III which are 
first imposed on the State pursuant to the amendments made by 
section 2 of the Voter Confidence and Increased Accessibility Act of 
2005.”. 

(2) Permitting use of funds for reimbursement for costs previously 
incurred.— 

Section 251(c)(1) of such Act (42 U.S.C. 15401(c)(1)) is amended by 
striking the period at the end and inserting the following; “, or as a 
reimbursement for any costs incurred in meeting the requirements of 
title III which are imposed pursuant to the amendments made by 
section 2 of the Voter Confidence and Increased Accessibility Act of 
2005.”. 

SEC. 3. ENHANCEMENT OF ENFORCEMENT OF HELP AMERICA VOTE ACT OF 2002. 

Section 401 of such Act (42 U.S.C. 15511) is amended — (1) by 
striking “The Attorney General” and inserting “(a) In General. — ^The 
Attorney General”; and (2) by adding at the end the following new 
subsections: 

“(b) Filing of Complaints by Aggrieved Persons. — 

“(1 ) In general. — A person who is aggrieved by a violation of section 
301 , 302, or 303 which is occurring or which is about to occur may file 
a written, signed, [sworn,] notarized complaint with the Attorney 


13 



143 


General describing the violation and requesting the Attorney General 
to take appropriate action under this section. 

[Notes: Complaints must be sworn and thus made under penalty of perjury to prevent 
abuse of the right of complaint.] 


“(2) Response by attorney general. — The Attorney General shall 
respond to each complaint filed under paragraph (1), in accordance 
with procedures established by the Attorney General that require 
responses and determinations to be made within the same (or 
shorter) deadlines which apply to a State under the State-based 
administrative complaint procedures described in section 402(a)(2). 
“(c) Clarification of Availability of Private Right of Action. — 
Nothing in this section may be construed to p Fe hi b it/a//ow/ any person 
from bringin gfto bring] an action under section 1979 of the Revised 
Statutes of the United States (42 U.S.C. 1983) to enforce the uniform 
and nondiscriminatory election technology and administration 
requirements under sections 301, 302, and 303. 


[Notes: It is a great mistake to provide a private right of action under HAVA, and such 
was never intended, hence the administrative complaint procedure. Decisions concerning 
voting systems are made by duly authorized officials based on examinations they conduct 
and the results of studies by accredited laboratories. The experience has been that people 
who feel that a requirement is missing from the guidelines have been filing lawsuits 
alleging defects in the certification process, attempting to shift to a court the task of 
making technical detenninations that have been left to other bodies by statute. We have 
already seen a proliferation of litigation of this sort. If a private right of action is 
conferred, the number of lawsuits will explode.] 

“(d) No Effect ON State Procedures. — Nothing in this section may 
be construed to affect the availability of the State-based 
administrative complaint procedures required under section 402 to 
any person filing a complaint under this subsection.”. 

SEC. 4. PERMANENT EXTENSION OF AUTHORIZATION OF ELECTION ASSISTANCE 
COMMISSION. 

Section 210 of the Help America Vote Act of 2002 (42 U.S.C. 15330) 
is amended by striking “each of the fiscal years 2003 through 2005" 
and inserting “each fiscal year beginning with fiscal year 2003”. 

SEC. 5. REQUIRE.MENT FOR MANDATORY MANUAL AUDITS BY HAND COUNT. 

(a) Mandatory Audits in Random Precincts. — 

(1 ) In general. — The Ele ct i on - A ssi stanG e- Commiss i on /c/i/ef election 
official of each state] shall condu et/’cause to be conducted] random, 
unannounced, hand counts of the voter-verified records required to 


14 



144 


be produced and preserved pursuant to section 301(a)(2) of the Help 
America Vote Act of 2002 (as amended by section 2) for each 
general election for Federal office (and, at the option of the State or 
jurisdiction involved, of elections for State and local office held at the 
same time as such an election for Federal office) in at least 2 percent 
of the precincts (or equivalent locations) in each State/", which 
precincts coiiectively shail include at least 2 percent of the registered 
voters of such State], 

[Notes: It is impractical to repose responsibility for state election audits in the 
Commission. Each one must be conducted in accordance with state law, and they must 
be completed at high speed immediately following an election. A 2% mandatory hand 
count will result in the hand-tabulation of about 2.5 million ballots in a general election. 
Experiments have shown that hand-counting of ballots, including all necessary steps, 
takes approximately 20 minutes per ballot (Sacramento County California). If only 
Federal offices are hand-counted, let us assume the time would go down to 5 minutes, or 
12 per hour. Counting 2.5 million ballots would take more than 200,000 man-hours, or 
100 man-years. To accomplish this over a period of one week would require 5000 people. 
While this is only 100 per state, on average, it is far more than could be mustered and 
managed by the EAC. Thus the revision language hands the responsibility over to the 
states. 

The original text would have recast the EAC as an oversight and enforcement body, 
which it is not equipped and was not intended to be.] 


(2) Process for conducting audits. — The Gomm i ss i on shal l 
con6uc\ [required] afi-audit under this section of the results of an 
election [shail be conducted] in accordance with the following 
procedures; 


[(A) In every Federal election, the results of any vote count obtained 
at a precinct or equivaient iocation shaii be pubiicly posted as soon 
as practicabie foiiowing the close of polls.] 

(B) With respect to votes cast at the precinct or equivalent location on 
or before the date of the election (other than provisional ballots 
described in subparagraph (C)), t he Gommtes i Qn sha H- ee u irt by-h a nd 
the voter-verified records required to be produced and preserved 
under section 301(a)(2)(A) of the Help America Vote Act of 2002 (as 
amended by section 2) a nd compar e/’sha// be counted by hand and 


15 



145 


' count of such votes 
[publicly posted at the precinct or equivalent location on or before the 
date of the election] a s an n ounc e d by the State . 

(C) With respect to votes cast other than at the precinct on the date of 
the election (other than votes cast before the date of the election 
described in subparagraph (B)) or votes cast by provisional ballot on 
the date of the election which are certified and counted by the State 
on or after the date of the election, including votes cast by absent 
uniformed services voters and overseas voters under the Uniformed 
and Overseas Citizens Absentee Voting Act, the Gomm i ss i on shal l 
G o u f t t by h a nd th e applicable voter verified records required to be 
produced and preserved under section 301(a)(2)(A) (as amended by 
section 2) a nd - c e mpar e/'sha// be counted by hand and compared with] 
th ose r e cords w i th th e [any] count of such votes [publicly posted at 
the precinct or t 


[Notes: as a general matter, states do not publicly announce vote totals prior to 
certification of the election, which may not occur until three weeks after Election Day. 
The revision would require posting of totals at each polling location, which is already 
commonly done, and to use the publicly posted results as the basis of comparison with 
the voter- verified records,] 


(3) Special rule in case of delay in reporting absentee vote count.— 
In the case of a State in which, under State law, the final count of 
absentee and provisional votes is not announced until after the 
expiration of the 7-day period which begins on the date of the election, 
the Go m m i s si o D Sh atl- i n i t ia t e th e [audit] process described in 
paragraph (2) for c onduc ti ng th e a u dit [shall commence] not later 
than 24 hours after th e- St a t e a nnounc e s th e f i n al vot e [public posting 
of the] count for the votes cast at the precinct or equivalent location 
on or before the date of the election, and shall initiate the recount of 
the absentee and provisional votes pursuant to paragraph (2)(C) not 
later than 24 hours after the St a t e a nnounc e s th e fina l [public posting 
of the] count of such votes. 


an aud i t is c ond uc t e d und e r th i s se ct i o n-s h aii p rov i d e t h e 
Gemm is s io n w i th th e - i nform a t i o n an d m a t e r i a l s r equ est e d by the 
Gomm i ss i on to -e n a b le i t to c af Fy -e u t-t h e-a u dit: 

(b) Selection of Precincts. — The selection of the precincts in a State 
in which the-GoFnFnission-sh aH - eonduot hand counts under this 
section [are conducted] shall be made by the Gomm i ss i on on [a] an 


16 


146 


e nt i r et y random basis using a uniform distribution in which all 
precincts in a State have an equal chance of being selected, in 
accordance with such procedures as the Commission determines 
appropriate, except that — 

(1 ) at least one precinct shall be selected in each county (or 
equivalent jurisdiction): and 

(2) the G or n miss ion [chief election officer] shall publish the 
procedures [to be used] in t he Fe d e r al R e gist e r [an official state 
publication regularly used for announcement of administrative 
regulations] prior to the selection of the precincts. 

(c) Publication. — 

(1 ) In general. — As soon as practicable after the completion of an 
audit conducted under this section, the C o m m i ss i on [chief election 
officer] shall announce and publish the results of the audit, and shall 
include in the announcement a comparison of the results of the 
election in the precinct as determined by th e Comm issien un d er the 
audit and the final vote count [publicly posted] in the precinct [or 
equivalent location] as a nnounced - by th e Stat e, broken down by the 
categories of votes described in subparagraphs (B) and (C) of 
subsection (a)(2). [Such results shall be provided to the Commission 
within 48 hours.] 

[Notes: The above changes result from shifting responsibility for audits from the 
Commission to the chief election officials of the states.] 


(2) Delay in certification of results by state. — No State may certify 
the results of any election which is subject to an audit under this 
section prior to the completion of the audit and the announcement 
and publication of the results of the audit under paragraph (1), except 
to the extent necessary to enable the State to provide for the final 
determination of any controversy or contest concerning the 
appointment of its electors for President and Vice President prior to 
the deadline described in section 6 of title 3, United States Code. 

(d) Additional Audits If Cause Shown. — If the Commission finds that 
any of the hand counts conducted under this section show cause for 
concern about the accuracy of the results of an election in a State or 
in a jurisdiction within the State, the Comm i ss i on m a y conduct 
[Attorney General may require] hand counts [to be conducted] under 
this section at such additional precincts (or equivalent locations) 
within the State or jurisdiction as the Commission considers 


17 



147 


appropriate to resolve any concerns and ensure the accuracy of the 
results. 

(e) Availability of Enforcement Under Help America Vote Act of 
2002. — Section 401 of the Help America Vote Act of 2002 (42 U.S.C. 
15511), as amended by section 3, is amended — 

(1) in subsection (a), by striking the period at the end and inserting 
the following: “or to respond to an action taken by a State or 
jurisdiction in response to an audit [required by or performed] b y the 
G emm i s sio n under the Voter Confidence and Increased Accessibility 
Act of 2005 of the results of an election for Federal office or by the 
failure of a State or jurisdiction to take an action in response to such 
an audit.”; 

(2) in subsection (b)(1), by striking “about to occur” and inserting the 
following: “about to occur, or by an action taken by a State or 
jurisdiction in response to an audit conduct e d by th e Commission 
und e r [required by or performed under] the Voter Confidence and 
Increased Accessibility Act of 2005 of the results of an election for 
Federal office or by the failure of a State or jurisdiction to take an 
action in response to such an audit”; and 

(3) in subsection (c), by striking the period at the end and inserting 
the following: “or to respond to an action taken by a State or 
jurisdiction in response to an audit oenduct e d by th e C e mmi s s i on 
unde r [required by or performed under] the Voter Confidence and 
Increased Accessibility Act of 2005 of the results of an election for 
Federal office or by the failure of a State or jurisdiction to take an 
action in response to such an audit.". 


[The role of enforcing the audit requirements has been shifted from the Commission, 
which is not an enforcement body, to the Attorney General, with the Commission in the 
place of recommending action to the Attorney General.] 

(f) Authorization of Appropriations. — In addition to any other 
amounts authorized to be appropriated under any other law, there are 
authorized to be appropriated to the Election Assistance Commission 
such sums as may be necessary to carry out this section. 

(g) Effective Date. — This section shall apply with respect to regularly 
scheduled general elections for Federal office beginning with the 
elections hetddn I Mov e mb e r - 20 06 [held on and after one year 
following the date on which a voting system that conforms to the 
requirements of this section shall become commercially available in 
the United States, as the Commission shall determine], 

18 



148 


[Notes: It makes no sense to impose a statutory requirement that is not capable of being 
met, for to do so would disrupt the electoral process around the country. Therefore the 
revision provides for a technological development period. 

Because of the statutory requirement of verification, great benefit will accrue to the first 
vendor who produces a conforming system, since that will start a one-year clock for 
compliance by jurisdictions.] 

SEC. 6. REPEAL OF EXEJNTPTION OF ELECTION ASSISTANCE COMMISSION FROM 
CERTAIN GOVERNMENT CONTRACTING REQUIREMENTS. 

(a) In General. — Section 205 of the Help America Vote Act of 2002 
(42 U.S.C. 15325) is amended by striking subsection (e). 

(b) Effective Date. — The amendment made by subsection (a) shall 
apply with respect to contracts entered into by the Election 
Assistance Commission on or after the date of the enactment of this 
Act. 

SEC. 7. REQUIREMENT FOR FEDERAL CERTIFICATION OF TECHNOLOGICAL 
SECURITY OF VOTER REGISTRATION LISTS. 

Section 303(a)(3) of the Help America Vote Act of 2002 (42 U.S.C. 
15483(a)(3)) is amended by striking "measures to prevent the” and 
inserting “measures, as certified by the Election Assistance 
Commission, to prevent”. 

SEC. 8. EFFECTIVE DATE. 

Except as provided in section 6(b), the amendments made by this Act 
shall take effect as if included in the enactment of the Help America 
Vote Act of 2002. 

[Section 101 of the Help America Vote Act of 2002 (42 U.S.C. 15301) 
is amended by adding at the end the following new paragraph: 

"(d) Federal office defined.— The term “Federal office” means the 
office of Senator or Representative in, or Delegate or Resident 
Commissioner to, the Congress. ”] 


[Notes: This change is required to preserve the constitutionality of HAVA. The term 
“Federal office” was used in HAVA but was not defined. Under the Constitution, 
Congress has highly constrained power to regulate elections for President and Vice- 
President, being limited essentially to specifying the date on which electors shall be 
chosen. 

The new definition makes it clear that President and Vice-President are not “Federal 
offices” for purposes of the statute. The practical effect of the change may be minimal, 
since in regularly scheduled elections, voting for senators and representatives occurs at 
the same time as choosing electors for President.] 


19 



149 


The Chairman. We will now turn to questions from the com- 
mittee, and I will begin and yield myself 5 minutes for that pur- 
pose. And Dr. Shamos, since we just finished with you, let me pur- 
sue one comment you made. I could pursue many, and I am sure 
others will pursue those, but on the one you said paper trails are 
no more accurate than any other method. Let me ask if you would 
also include paper ballots which are then read by a computer in 
that category. 

Mr. Shamos. Oh, Mr. Chairman, I don’t think I actually made 
any comment about the accuracy of voting systems. I think I said 
that paper systems weren’t secure. 

As far as accuracy, accuracy is a very poorly defined concept in 
voting systems and extremely difficult to measure, because we need 
to know in advance the voter’s intent before they go into the voting 
booth. Then we need to see through the entire chain of custody of 
all the ballots at the end whether the final tally really reflects how 
the voters intended to vote. That is nearly unmeasurable except in 
small laboratory experiments. So I actually haven’t made a com- 
ment about accuracy. 

The Chairman. Okay. In general, your comments about paper 
trails, do those also apply to paper ballots that are then scanned 
electronically? 

Mr. Shamos. Paper ballots that are scanned electronically are 
certainly subject to the same kinds of tampering. In fact it is easier 
in general to tamper with those because they are cut sheet paper, 
individual pieces of paper. There are all sorts of problems with op- 
tical scan voting but it is certainly acceptable as a method of vot- 
ing. We use it in Pennsylvania. It is in widespread use around the 
country. 

The Chairman. Let me just extend that one little bit. In terms 
of recounting for — in case someone demands a recount, isn’t a 
paper ballot a good reliable method of recounting, simply because 
the voters themselves have marked that particular piece of paper? 

Mr. Shamos. No. The problem is that once the voter has marked 
the ballot and verified that the ballot is marked the way she wants, 
she has no assurance that by the time the recount occurs, that 
same piece of paper is going to be in the hands of the recounters. 

Ms. Lofgren from Silicon Valley might recall that in the 2004 
election in San Francisco, 3 weeks after the election, ballot boxes 
were found floating in San Francisco Bay with ballots in them. And 
so we have not solved the problem, security of paper ballots, in a 
widely distributed voting system that we have in the United 
States, with a couple hundred thousand precincts. 

The Chairman. Thank you. I didn’t realize we had that problem 
since the LBJ election and Tammany Hall, Prendergast, et cetera. 
Thank you. 

And quickly I am turning to Mr. Felten, I am interested in your 
comments. How easily could one access the voting machine and in- 
sert a virus of the type you have commented? How long does it take 
to actually get the virus in place? Would someone need to access 
the machine for an appreciable amount of time? Or is this some- 
thing that a voter in a voting booth could do? 

Mr. Felten. It takes about 1 minute of access to the machine, 
and I can show you roughly what would be involved. It would in- 



150 


volve opening the door on the side of the machine, which would re- 
quire getting a key. As I said, those are for sale on the Internet. 
There may be some security tape that would need to be removed 
and might be missing already. Opening up this door, putting in the 
memory card like this into the side of the machine — the memory 
card would have been prepared in advance with the computer virus 
on it — then pressing the red power button and waiting about 30 
seconds, and afterward closing everything up and putting it back. 

This is something that would be unlikely to be doable by a voter 
in the polling place, but if the machine is not — if the machine is 
not guarded with a very careful chain of custody throughout its life 
cycle, it can be available to that. In my polling place in Princeton, 
the DRE machines sit unattended overnight, the night before the 
election, in an unlocked school lobby. 

The Chairman. How long would it take someone who had access 
to the machine to figure out how to write the program? 

Mr. Felten. It requires some information about how the ma- 
chine works. This is not a Manhattan Project. It requires a mod- 
erate level of skill in computer programming and some limited 
knowledge, probably the knowledge that has in this case — that had 
leaked from the vendor to the Internet a few years ago, would be 
nearly enough. And I think an unscrupulous person would not have 
a problem getting the necessary information. 

The Chairman. So from the time you started looking at the ma- 
chine until you devised the virus, what sort of time was involved? 

Mr. Felten. We got the machine in May. At first we spent a lot 
of time taking it apart to understand everything we could about 
how it worked. We were interested not only in whether a virus 
would be possible, but we really wanted to understand all of the 
security mechanisms and we wanted to treat it very carefully. 
From the time we started developing virus code until we had a 
working virus, perhaps a few weeks. 

The Chairman. Thank you very much. My time has expired. I 
am pleased to recognize my Ranking Member, the gentlelady from 
California. 

Ms. Millender-McDonald. Thank you so much, Mr. Chairman, 
and thank you again for this very interesting hearing. 

The one thing I want to say about my friends in the Senate, they 
have a bill out now, saying that every polling place should have a 
large supply of emergency paper ballots that can be used in emer- 
gency situations. That is just where we are. That is what we think 
about voting now in this country of ours. And so Senator Dodd and 
Senator Boxer and others have submitted this bill. 

But I have said all along that there is a security issue here. 
There is a trust issue that we must come to bear in terms of voters. 

Mr. Felten spoke about when there aren’t consequences, there 
are compromises — or consequences bring compromises. And I want- 
ed him to expound a little bit on that. And he also said that exist- 
ing election procedures are not adequate for elections. I want you 
to expound on that too, sir. And tell me, if Mr. Dickson feels a 
paper trail is not adequate, especially for disability, then you are 
suggesting, Mr. Felten, that paper trails do cut down on voter 
fraud. So we have some imbalance here. If you could just speak to 
that for me on those issues. 



151 


Mr. Felten. Certainly. The first issue had to do with the the 
consequences of the compromise being worse in an electronic sys- 
tem. And in the example that we gave here, there is a computer 
virus that will spread itself from one voting machine to others, and 
the consequence is that if someone is able to compromise one ma- 
chine, the virus can spread to many machines and potentially af- 
fect all the votes on all of those machines, as compared to fraud 
with an old-fashioned ballot box where access to a ballot box only 
allows someone to tamper with the votes that are in that ballot 
box, or maybe increase them by some amount. Access to one cannot 
involve stealing tens of thousands of votes as with an electronic 
system. 

Ms. Millender-McDonald. But this virus, you say, can pass 
from one machine or one voter to another. I think you stated that. 
How can that be when I am told manufacturers do not give out this 
so-called code, secure code they use, how can that then be done 
with that? 

Mr. Felten. Well, the way that the virus — the way that this 
virus spreads is on these memory cards. The memory cards are 
programmed before an election, usually at a central location, and 
they are programmed with the list of races and the list of can- 
didates and so on for that election. Then they are distributed out 
to the polling places and put into the voting machines. That is a 
possible — that is a possible mode of travel of the virus. 

If the virus gets onto the memory card at that central location, 
it will then be installed out into the voting machine. After the elec- 
tion, the memory cards go in the opposite direction to carry the 
votes back to the county clerk or Board of Elections Office to tab- 
ulate them, and that allows the virus to go in the other direction. 
So a virus in one machine may hitch a ride on a memory card, 
after the election, back to the election headquarters and then po- 
tentially spread there onto many other cards that are then distrib- 
uted, say, for the next election. 

This is much like the process by which older computer viruses 
spread on floppy disks. If you put an infected floppy disk into your 
PC, your PC would catch the virus and then it would spread to any 
other disk that you put into your machine. So it hitches a ride, 
opportunistically, on top of the flow of these memory cards that 
happens in running an election normally. 

Ms. Millender-McDonald. How do we answer Mr. Dickson’s 
whole notion that paper trails are not acceptable to the disabled 
and yet you say cut down on voter fraud? 

Mr. Felten. Yes, I do believe it cuts down on voter fraud and 
I do believe that a paper trail, well designed, can be just as acces- 
sible. Mr. Dickson held up the roll of paper and pointed out he 
could not view that or verify it or audit it. But the DRE system 
that he is advocating stores his votes on this, which neither he nor 
anyone else can simply look at and read. The problem with these 
DREs and the security problem is exactly the thing that Mr. 
Dickson is complaining about: the inability of any voter to look at 
the machine and see their vote recorded. So I don’t believe that 
there is a conflict between the use of a paper trail and accessibility. 

Ms. Millender-McDonald. There are just so many questions 
that I have just put all over the place here. The whole notion, Mr. 



152 


Cunningham, that you spoke of — and I see my red light is on al- 
ready. That is what I am saying, it is just so much in so little time 
to talk. 

The Chairman. We will have a second round. 

Ms. Millender-McDonald. A second to go back? 

The Chairman. Second round. 

Ms. Millender-McDonald. My second round I will come back 
to you, Mr. Cunningham and Mr. Shamos, because I do want to 
talk with you. Thank you, Mr. Chairman. 

The Chairman. Thank you. The Chair recognizes Mr. Brady, the 
gentleman from Pennsylvania, for 5 minutes. 

Mr. Brady. Thank you, Mr. Chairman. Mr. Chairman, I have a 
point of inquiry. Will Mr. Holt have a chance to speak? Will he 
have a chance to speak? 

The Chairman. By unanimous consent, we will allow Mr. Holt to 
speak. 

Mr. Brady. Okay. I am just — I don’t think voting is a science. I 
think it is a people person thing. I think it is — I think it is a 
human thing. And I think that anything we do here, no matter 
what it may be, can be attacked, can be hacked into, can be 
verified. Ballot boxes can be put in a river, could not be shown. But 
I think what we are trying to show is try to eliminate as best as 
possible all these things that can possibly go wrong. And I don’t 
understand why a receipt — ^because that is what I look at a paper 
ballot as a receipt — why, when you vote and you get your receipt 
and you have that and you see what you voted for — and if you don’t 
have that, then you could — if you don’t have that, then you can 
allow some type of protest somewhere. If you have no receipt, you 
think you voted, you don’t know. It is up to now whatever tabula- 
tion or whatever machine or mechanical or scientific tabulation 
happens. And I don’t understand why it would be a problem for 
anybody having a receipt. 

Mr. Shamos, you heard my statement and you have inspected 
many times the voting machines, and from what I understand, you 
had said that a malicious hacker could easily make the same 
switch, allowing votes to be changed from one vote to thousands of 
votes. Then if that is the case, why are these — we think these sys- 
tems aren’t reliable and if that is the case, what would be the prob- 
lem with a verified paper trail? If I want to vote and I want to vote 
for you, if I look at a paper and it says I didn’t vote for you, I can 
lodge a complaint right there. If I walk out there with nothing, I 
don’t know who I actually voted for. I am in the hands of that ma- 
chine, a hacker or anybody who could probably get in to violate the 
voting process. I don’t understand why this should be a problem. 
No matter what we do, there will still be a human factor some- 
where, someplace, somehow. 

At least a voter has the confidence that he has or she has a piece 
of paper stating that, yes, I did vote; yes, this is who I voted for. 
And if there is a mistake, you may have a chance to rectify it right 
there. That is my point. 

I yield back the balance of my time. Thank you, Mr. Chairman. 

The Chairman. Any answers or any comments? 

Mr. Shamos. I can say something. It is certainly true that if a 
malicious hacker is able to gain access to a voting machine and re- 



153 


place the software that is in there in such a way that that change 
is not detected, then there are severe problems. And that is what 
I say, when we find security vulnerabilities, we have to find ways 
of plugging them. 

For example, the vulnerability discovered by Professor Felten’s 
group at Princeton was known to us in Pennsylvania back in 
March, right before our May primary. And we were forced to make 
an emergency remediation in Pennsylvania to blunt the effects of 
that discovered vulnerability, because we wanted to be able to as- 
sure county election officials and voters that an intrusion of the 
kind that was demonstrated here today was not possible, or if it 
had happened, the effects of it would have been reversed and so we 
remediated that. We also instructed the vendor that the next time 
it comes back for a certification, it better have remediation of its 
own so that we don’t have to impose administrative procedures to 
make sure that that vulnerability can’t be exploited. 

So I am not minimizing the possibility that people are out there 
trying to hack things. My point is the response to the hack is not 
to throw the machines in the ocean and go back to what we were 
doing in 1890. If it is a technological problem, we have a techno- 
logical solution. 

With respect to the receipt, a lot of people think of the word “re- 
ceipt” as meaning something that the voter can take home with 
them and look at later at their leisure and show maybe at some 
later time to an election official and say, see, this is really how I 
voted. 

It is not legal to give receipts of that kind because you can’t give 
a voter anything they can use to prove how they voted, since they 
could then sell their vote. So the receipts we are talking about, 
these voter-verified paper trail systems, the voter has a chance to 
view the receipt on the machine and then say yea or nay; yes, that 
truly represents my vote or not, and then when they leave the poll- 
ing place, they don’t have a piece of paper to take with them, and 
my point — the point that I made in my earlier testimony is that it 
is nice enough to show the voter that their vote was properly re- 
corded. But, again, there is no assurance that at the time the votes 
are actually tallied later, or a recount was done, that that piece of 
paper is even around or hasn’t been replaced by something else, 
and there are people who are working on the solution to that prob- 
lem and we are not there yet. 

Mr. Brady. Mr. Chairman, if I can just answer, you are way out 
there. You are talking about after voting, you are talking about 
people manipulating receipts that they may or may not get. I 
mean, now you are becoming human factor after human factor 
after human factor, somebody is hell-bent on trying to rig an elec- 
tion. That is not what we are talking about. We are talking about 
voter confidence. That is what I am talking about. I am not talking 
about a receipt you take home and say, I want to change my vote 
or I made a mistake. Because people do make mistakes. If you 
make a mistake on the voting machine, you make a mistake. You 
can’t rectify it after you validate it. 

But I am saying, as you are saying, look, this is who I voted for. 
This is what I wanted to do. Push the okay button, push the vote 
button, whatever, close the curtain, open the curtain. I don’t think 



154 


there is anything wrong with that. That is what I am saying. I 
don’t think there is nothing wrong with our bill. 

Mr. Shamos. If I told you that mechanism could be used to dis- 
cover how every voter in the precinct voted, that might change your 
mind. 

Mr. Brady. I learned that you people with this electronic sci- 
entific, you show me anything I ever did in my entire life. So that 
doesn’t scare me. 

The Chairman. That might make for an interesting episode. Ms. 
Simons, quickly. 

Ms. Simons. I just wanted to comment briefly on this whole 
paper issue, because I think we are comparing apples and oranges. 
One of the basic issues is how well engineered these systems are. 
And somebody who was advocating for voter-verified paper trails 
early on, fore the machines were retrofitted — I have to say I was 
appalled by what the voting machine companies came out with. 
They are bad. 

I mean, Mr. Cunningham is right. Jim Dickson is right. The con- 
tinuous rolls of thermal printed paper have privacy issues, as Mi- 
chael Shamos says. But they are badly engineered. It is bad tech- 
nology. There is no reason why paper has to be — why they have to 
be designed that way. They were the cheapest way to do it. That 
was why it was done that way. I mean, banks deal with paper all 
the time. They manage to count it. And I don’t think they make 
many counting mistakes. Other countries vote on paper, and they 
don’t have problems. We can do it, too, but we have to do it right. 
If you do it wrong, it will fail. 

The Chairman. And for the last quick word, Mr. Dickson. 

Mr. Dickson. Chairman Ehlers, I wanted to respond to your 
question about counting optical scan ballots by machines. We have 
a lot of experience in this country with that. When you have large 
numbers of ballots, hundreds of thousands, and you have got a 
close race, every time the optical scan ballots have been counted 
you get a different number. You get a different number. We do not 
have the technology to accurately count large pieces of paper. 

The Chairman. Right. Thank you very much. 

Next the Chair recognizes the gentlewoman from California, Ms. 
Lofgren, for 5 minutes. 

Ms. Lofgren. Thank you, Mr. Chairman. This is a very helpful 
hearing, and as I am listening, it seems to me that the point made 
by Ms. Simons needs to be emphasized: The fact that we have a 
dysfunctional roll doesn’t mean that that is the only alternative 
available as an auditable trail. 

You know, I spent more years on the board of supervisors in 
Santa Clara County than I have so far in Congress, and in Cali- 
fornia, the counties are the repository of the registrar of voters, and 
in California the registrar of voters is a civil service position. It is 
very nerdish, I guess is the best word you could say, in Silicon Val- 
ley and very apolitical, and it wasn’t really until I got on the board 
of supervisors that I realized — I guess I never really thought about 
it — that, you know, some of the votes get lost. 

People don’t think about that, but we had the little punch cards 
for a long time and it would jam up the machines on election night, 
and some of the ones that got mangled didn’t get caught. And it 



155 


didn’t ever — at a time when the country was less closely divided 
than it is today, nobody really noticed because elections weren’t 
that close. But of course now we have close elections all the time, 
and we are paying more attention to it. And so I do think that we 
need to make sure — you can’t have a perfect system, I suspect, but 
we need to have a system where people do not question the integ- 
rity of it. 

I remember going with a computer scientist in my district who 
really said this: Yes, you can make a mistake, I mean, you can take 
a ballot box and throw it out, but the difference with hacking a ma- 
chine is it is not random, the direction in which those votes are 
going to be lost. 

And so I am very enticed by Mr. Holt’s bill. I would know that 
in a standards setting, there has been discussion that this would 
eliminate the privacy of individuals. But on page 3, line 13, of his 
vote, it specifies that to comply with the act that would not be per- 
missible. 

So I think, you know, part of what we do here in Congress is to 
set standards and laws that need to be met, just as NIST does from 
an engineering point of view. 

I am wondering, Mr. Felten, Mr. Shamos said something to the 
effect that you could verify other than by paper means. I don’t 
want to misquote you or something; it was something to that effect. 
How would you do that with the virus that your lab created? How 
would you do a verification without — would there be a way? 

Mr. Felten. Well, I think that the idea of nonpaper verification 
is something that is not ready yet. It is an active area of research. 
Mr. Shamos referred to Professor Rivest’s work, which, by the way, 
is an all-paper system. And that is an interesting proposal, but I 
would not want to trust an election to it tomorrow. I think that 
years from now we may be in the position to have effective and 
useable nonpaper-based systems, but I do not believe they are 
ready yet and I don’t think we can afford to wait. 

Ms. Lofgren. Mr. Shamos, your testimony has been very inter- 
esting, and thank you for your advocacy and your work on assuring 
systems. One of the things that you suggested, that we needed to 
make sure that vulnerabilities are protected again — and no one 
would disagree against that — but one of the things I learned in my 
prior life in local government was that elections, they are not cha- 
otic but they are — they are chaotic. You have got, you know, PTA 
mothers and you have got volunteers, and there are schools, and 
it is really — I love election day, but it is not really tightly controlled 
and cannot be, because that is not the way Americans hold elec- 
tions, unless we completely fund this and have full-time paid peo- 
ple. And I don’t think we are moving in that direction. 

So how would we be able — even if we found this virus, I know 
from Silicon Valley, I mean there are a million ways to hack this 
stuff. Given the fact we have this chaotic system, we have smart 
hackers everywhere, how do you protect against those 
vulnerabilities in your judgment? 

Mr. Shamos. Okay. So there are several ways. One is that we are 
never going to achieve perfection, we are never going to locate all 
vulnerabilities that exist in systems because we don’t know how 
clever people may be in the future to get around the protections 



156 


that we have built in. But this is true not just in voting systems. 
In every kind of system that has ever been made, there are later 
discovered vulnerabilities. 

As I said in my testimony, I am in favor of voter verification. 
Voter verification is a way of assuring that if a vulnerablity has 
been exploited that we are going to know about it. 

I think you just asked about a potential nonpaper mechanism for 
verification. I will give you a very simple one that the TS unit over 
there has a touch screen that shows things to the voter. The voter 
is not positive, however, that the marks that she makes that are 
visible on the screen are actually getting recorded by the machine. 
So all we have to do is have a second screen, made by a different 
manufacturer, and we take an electrical wire and we get a copy of 
whatever is on the first screen to the second screen, and we attach 
a digital camera to that and we make a record of what the screen 
showed. And if the voter has any doubt it has been recorded cor- 
rectly, she can press a button that says “replay” and it will show 
her her vote again on the screen. And that vote gets recorded on 
a CD or DVD and prevents it from being tampered with later. That 
is just a trivial example of a nonpaper verification mechanism. 

The second way of doing it is through something called parallel 
testing, which is used in at least 10 counties in California. It is 
going to be used in Massachusetts in November. It is used in sev- 
eral other States, where you sequester a machine or machines dur- 
ing the election, during the actual time of the election, and you 
have a team of people vote on them, simulating the way they vote, 
except they vote according to the predefined script so we know 
what the total should be at the end. Then at the close of polls, we 
close that machine and we see if the totals match. If they don’t 
match, then we know that there is a rat somewhere, and we do a 
forensic examination to find out where the rat is. 

The Chairman. The gentlewoman’s time has expired. I am 
pleased to recognize our guest. Representative Holt, for five min- 
utes. 

Mr. Holt. I thank the Chairman and I am pleased to see that 
we are holding — that you are holding this hearing, and I welcome 
the opportunity to be with you. And I regret that the hearing is 
being held the day before our target adjournment for the year. But 
nevertheless, I think you have put together a good panel of wit- 
nesses. 

Let me just make two quick comments. One is, HAVA had the 
unanticipated effect of motivating jurisdictions to go out and buy 
devices for voting that are clear, simple, accessible, easy to use and 
totally unverifiable. And it may be that there are various future 
methods of verifying that are not yet thought of or not yet devel- 
oped, but right now we have a method of verifying where each 
voter can verify her vote at the time of voting, and that is a paper 
trail. And I do think it can be made accessible for voters, for all 
voters. 

Mr. Shamos just described a rather Rube Goldberg-ish CD cam- 
era that was going to photograph another screen. Boy, paper record 
sounds a whole lot easier to me. 



157 


But anyway, let me first go to Mr. Felten, Professor Felten. How 
detectable would the virus that you devised, or that someone might 
devise, be before, during, and after the election? 

And let me ask another question. I don’t know whether you are 
familiar enough with the kind of chain of custody and other check- 
lists that Mr. Smith puts his machines through. Do you think a 
virus could be implanted in a system that had the kinds of protec- 
tions that Mr. Smith describes? 

Mr. Felten. First the question of how detectable this would be. 
There is a long-established cat-and-mouse game in the PC world 
between virus writers and antivirus companies, and the virus writ- 
ers have proven very successful at making viruses that are quite 
difficult to find, especially in advance. And I would expect, or I sup- 
pose fear, that we would see the same phenomenon here. We did 
not try to make this virus as stealthy as we could. But I think that 
if someone used the same methods that are used in the PC world 
to make viruses hide, it would be very difficult indeed to find in 
advance. 

Preelection logic and accuracy testing as has been discussed here 
will not find the virus that we devised, because it simply checks 
whether the machine is in logic and accuracy testing mode or real 
election mode, and if it is in logic and accuracy testing mode, the 
virus simply lies low. So I think it might be quite difficult to find, 
and I certainly would not have confidence that if it were implanted 
it could be found. 

The second part of your question related to the procedures that 
Mr. Smith described, and I think those sorts of procedures are very 
valuable. They do help to close the gap, to close the window of vul- 
nerability, but we also have to recognize that procedures are not 
perfect and are not always followed. Like any other part of our 
election system, there will be gaps, there will be errors. And I still 
worry, despite the best of procedures, that the window of vulner- 
ability opens enough that a determined adversary can get through 
it. 

Mr. Holt. Thank you Mr. Shamos. 

Yes, Mr. Smith. If there will be another round of questions, I 
would be happy 

Mr. Smith. I would like to respond to that, because I think it 
really comes to the core of what we are trying to talk about. I have 
listened to the situation with regards — I am the only one here, by 
the way, who uses Diebolt TS units, and I am the only election di- 
rector I guess on the panel that does. 

One of the things I have been listening to and have been con- 
cerned about is how this virus would spread. I am an engineer by 
background. I hold a double E degree so I have some kind of tech- 
nical capability in that. 

First of all, if you took one and you corrupted this memory 
card — can I see your card? If you took and corrupted this memory 
card, and it is going to go into one machine, and that one machine 
in my county is probably going to vote between 100 and 150 votes, 
that’s all that’s going to be counted on it, the issue comes on this 
card supposedly then is it is going to be corrupted; okay, we will 
lose 100 votes. That is not good, but it is not like we are losing 



158 


50,000 votes that I have cast in the general election, in the last one 
in 2004. 

Now, this comes out, it goes back to the end of the process, as 
Mr. Felten has said, it is only going to corrupt one more machine. 
The machines are not interconnected. There is not a possibility of 
corrupting the 500 machines that I am going to put in place for the 
2006 general election. That is, you know, an issue. It is a tactic; 
it is not going to happen. 

Now, there are a lot of other things that we do. I mean, we have 
a lot of security in place. We follow it. I am very anal about those 
types of things and I have talked to Mr. Felten about it, and I 
think that he believes in our county we have a good thing. 

The last thing is, I would like to respond to what Ms. Millender- 
McDonald said — and I think this is as important as anything — is 
that the confidence people have in our equipment is very impor- 
tant. I mean, I couldn’t say anything more. We take — and after 
every election we hand out a response card, given out randomly to 
our people. We say, what do you think about the process? You want 
to have, whatever, and I have got in front of you — it is not a tech- 
nical, you know, survey of the type, but there are 715 responses. 
You can see the names, you can see the precincts, you can see what 
the election was held for; in addition, you can see their comments. 
99.5 percent of the people that responded to these things in my 
county said we did an excellent job. There was only two people, 
only two that requested a paper trail. 

So I think we are doing a good job in Forsyth County, Georgia. 
I think we are doing an excellent job in the entire State of Georgia 
and I think that we need to be — I don’t want to say “recognized” 
for it, but hopefully — don’t impose things on us which are going to 
make our job much harder to do. But I also will tell you that I 
agree with Mr. Felten with regards to having verification, but I be- 
lieve that we do not need to eliminate the paper. 

Mr. Holt. My time has expired. I hope Mr. Felten will get a 
chance to reply, because on my visit to his laboratory it was my 
understanding that the method of spreading the virus is different 
than Mr. Smith seems to understand. 

The Chairman. Very quickly could you give a brief response? 

Mr. Felten. Sure. Well, without getting into a long technical de- 
bate, let me just say that when this memory card goes back to the 
central facility and is put into a so-called accumulator machine 
which adds up the votes, if that accumulator machine becomes in- 
fected it can then infect a very large number of other memory cards 
that are subsequently put into it, and it acts as a very serious car- 
rier of the virus. 

The Chairman. Thank you. 

Just an announcement to my colleagues. I have received a note 
that votes are expected between 12:00 and 12:15. I would like to 
have a second round of questions. Let me suggest that each of us 
tries to limit ourselves to three minutes. And I will begin, and then 
recognize the minority leader or the ranking member. Mr. Doolittle 
presumably will be settled in by then and ready with his question. 

We were just talking to Mr. Smith and I was wondering, Mr. 
Smith, what kind of system did Georgia have before it adopted the 
electronic system? Why did they see the need to change to the cur- 



159 


rent system, and what were some of the problems you experienced 
with the previous system? Basically, is the new system better than 
the previous one or not? 

Mr. Smith. Okay. I think I can respond to that. Fortunately I 
took over as director of elections prior to the introduction of the 
DRE machines. We had at that point in time the punch card ma- 
chines. By the way I would say the security level we had on the 
punch cards is pretty miserable, now that I have gone through and 
listened to all the technical dissertations that have gone on. Our 
punch card machines were monitored by a computer as well. That 
computer sat in a — it was an IBM 386 or something like that. It 
sat in a closet that we kept, and in fact they downloaded software 
to it routinely, you know, over the telephone lines. I would say that 
was highly unsecure, and I was mortified at that when I saw it. 

The changes, the changes that we had, 6 months prior to the 
2002 election, Diebolt machines were introduced into Georgia. We 
had 6 months in which to take this across the entire State, and I 
would say that the secretary of state and the Center for Election 
Systems from Kennesaw State University did an outstanding job. 

I tell you, I personally used to run major computer projects. I 
didn’t think they could do it. They have done an outstanding job. 
We have continued to hold elections, and people are very pleased 
with them in our State. 

Are there problems? I think some of the things Ms. Millender- 
McDonald brought up with regards to training poll workers are 
very valid, and I appreciate the fact that she will continue to fund 
it. I would like to ask if she would fund the program also so it is 
part and parcel of a program that I have introduced, which is 
called Forsyth First Vote, but we also use high school students to 
do it. One-third of all my poll workers are students. We have 
changed the entire complexion of the people in our county. Maybe 
that is why we are running good elections, I don’t know, but I have 
got poll workers that we turn away because we have a very good 
program, and I am very pleased with it. Thank you. 

The Chairman. Thank you very much. 

Briefly, Mr. Cunningham, you mentioned that you grew up in a 
small town in Ohio. I spent my high school years in an even small- 
er town, I am sure, known as Celeryville, Ohio; population, 200. 

I have a question for you about the WTAT technology, the print- 
ing paper trail technology. It is relatively new. You have described 
the problems that you have encountered with that in Ohio. Do you 
believe improvements can be made to the WPAT printer tech- 
nology to make it more reliable, to capture true vote totals, to avoid 
the problems you have had; and then would the added complexity 
brought to the system always increase the likelihood of failure? Or 
do you think through sufficient research and study, we could make 
them more reliable? 

Mr. Cunningham. Thank you, Mr. Chairman. I have a personal 
motto: I never buy the first model of anything. I always let other 
people figure out what the problems are before I buy. I think the 
fact of the matter is, when the Help America Vote Act was passed, 
most of the touch-screen voting machines were, by and large, proto- 
types and rushed into manufacture. I am not taking any issue with 
any of the manufacturers, and I am not making a comment on the 



160 


reliability of any of their machines. But I think what we have got 
on our hands here is the Model-T Ford. We are in the early stages. 
Now, can it be improved? Absolutely. I think throughout my com- 
ments I was very definite to say these machines as they currently 
sit are not reliable. 

My question back to you, though, in that regard is, who is going 
to pay to fix it? Because one of the problems we have right now 
is in the last 24 months, every election jurisdiction in this country 
has spent the $3 billion we spoke about earlier on new election 
equipment, and that is what is in place. So without somebody step- 
ping forward to fund that enterprise, I don’t know how we are 
going to improve them ourselves. 

And if I could, Ms. Lofgren, I liken running an election to throw- 
ing a package of BBs on your kitchen table, and while somebody 
is on each leg moving the table, you are trying to keep them all 
on the table all day long. That is my analogy of election day. 

The Chairman. Thank you for that discouraging analogy. Next 
I recognize the Ranking Member for five minutes. 

Ms. Millender-McDonald. Thank you, Mr. Chairman. And let 
me again thank you so much for this hearing. This has been just 
absolutely the most informative hearing, one of the great ones we 
have had. 

Mr. Cunningham, I thank you for saying that we all agree that 
some type of verification system is needed, and at least we have 
a consensus here for that. But you did speak of the fact that you 
are adamantly opposed to any program such as yours in your State 
which makes WPAT the official ballot of record for recount? If I 
am not mistaken, Ohio lost 10,000 ballots. And what happen here, 
given that you were not able to recount because you can’t reprint? 

Mr. Cunningham. In Ohio — what election are you talking about? 

Ms. Millender-McDonald. It was my understanding that there 
were 10,000 votes that were unable to be recounted because you 
were unable to reprint. 

Mr. Cunningham. You mean at the ESI? 

Ms. Millender-McDonald. Yes. 

Mr. Cunningham. Ten percent of the WPATs counted, I forget 
what the numbers were exactly. I believe the statement that I 
made was that nearly 10 percent of the tapes were either de- 
stroyed, blank, missing, taped together or otherwise compromised 
in some way. I don’t — I don’t think that it would be correct mathe- 
matically to say it was 10 percent of the votes; but 10 percent of 
the WPAT tapes, based on what we reviewed, had some kind of 
compromise that made it very difficult to ascertain what the real 
numbers were. 

Ms. Millender-McDonald. But you make a valid point that be- 
cause of the WPAT, one is unable to reprint; therefore voters will 
be unable to discern whether or not their vote counted in an elec- 
tion. Am I correct on that? 

Mr. Cunningham. I am sorry; repeat that? 

Ms. Millender-McDonald. Am I correct in saying that because 
WPAT is the official ballot record for recount purposes, that if you 
should need a recount, you cannot go to a reprint to discern wheth- 
er or not those votes 



161 


Mr. Cunningham. Right. That is exactly right, Madam. I would 
submit to you that to reconcile and verify vote totals on an elec- 
tronic machine, there are better ways to do it in more controlled 
environments than the election-day environment that I just men- 
tioned. And it is — for instance, when the machine back in the office 
and other records that are stored in that machine can be printed 
and otherwise looked at electronically, you know, we work every 
day on this. 

Ms. Millender-McDonald. I am sure. 

Mr. Cunningham. We try — that is my job is to try to reconcile 
those numbers at the end of the day, but trying to maintain this 
contemporaneous record. And the current state that it is in, and I 
think we have — I am just saying it is never going to match. And 
it is only going to fuel this — this fire that voting systems don’t 
work, and I think Ohio has set itself in a very very dangerous situ- 
ation. 

If I may just go on with that, there has been a little talk here 
about we are only concerned with Federal elections. You know, the 
least frequent election I run is a Federal election. We need to be 
very careful that one of the problems that has occurred since the 
passage of HAVA was it put many State rules and regulations in 
conflict with the Federal law. 

Ms. Millender-McDonald. Absolutely. 

Mr. Cunningham. And what we ended up with was these rules 
apply in a Federal election and these rules apply in a local election. 
That is a terrible situation. We cannot operate this enterprise with 
two sets of standards. 

Ms. Millender-McDonald. I couldn’t agree with you more. 

Mr. Cunningham. Please do not think in terms of only Federal 
elections because it is a very problematic proposition. 

Ms. Millender-McDonald. Because you know what, sir? In a 
given election, you have three different laws that you perhaps 
might have to implement. 

Mr. Cunningham. Could have. 

Ms. Millender-McDonald. Local, State and Federal. And you 
know, my hat is off to all of you local elected ones who have to bal- 
ance between the trenches. It is just really problematic. 

Ms. Simons, I will let you close me down because I wanted to go 
to Mr. Shamos. But I just have a second here for you to comment. 

Ms. Simons. Yes. I wanted to remind the panel what happened 
in Carteret County, North Carolina — I believe it was in 2004 — 
where paperless DREs were used and over 4,000 votes were lost. 
There is a concern about being unable to reprint paper ballots or 
WPATs. When you lose votes in a DRE where there is no paper, 
there is nothing you can do. And in fact there was a statewide elec- 
tion for agricultural commissioner, where the separation between 
the two candidates was such that the results could have been re- 
versed by those missing votes. And it went to court. The State 
Board of Elections first tried to hold a vote in just the county. That 
was thrown out by the court. Then the Board of Elections at- 
tempted to hold a statewide vote. That was thrown out by the court 
because we had no laws to deal with what happens when DREs 
fail. Finally there were a number of people who submitted sub- 
poenas or petitions saying they voted for one of the candidates; and 



162 


based on those submissions, it looked like the judge was going to 
declare that candidate the winner. So the other candidate con- 
ceded, and so that was how the election was decided. 

This is not the way to hold elections in this country. This is a 
problem with DREs, paperless DREs. This was a case of a failure, 
but there are many other problems too. We haven’t even touched 
upon security problems such as, for example, the risk of somebody 
malicious getting a job with the vendor or the delivery service and 
inserting malicious code. 

We know that all software is buggy. We don’t know, for example, 
if elections have been wrongly recorded because of buggy software, 
forget malicious code. 

There are so many basic problems that we just have no way of 
verifying elections that were held on paperless voting machines — 
we cannot verify them at this point. 

The Chairman. The gentlewoman’s time has expired. 

Ms. Millender-McDonald. This is why the average voter now 
is just so befuddled over elections. 

The Chairman. And most of us are average voters. 

I am pleased to recognize the gentleman from California, Mr. 
Doolittle, for five minutes. 

Mr. Doolittle. Thank you, Mr. Chairman. 

Ms. Simons, your written statement said, quote: Unless there is 
evidence that the WPBs have been compromised, the paper ballots 
should be used to determine the election results. 

I wanted to ask, what sort of evidence of compromise were you 
referring to? 

Ms. Simons. Well, obviously, if you have the kind of mess that 
Mr. Cunningham talked about, that would raise a lot of concerns. 
I share his concern about that kind of technology being deployed. 
We need to have good engineering, we need to have high standards, 
and we have to hold vendors to high standards. Vendors should not 
be allowed to produce machines that can create this kind kind of 
mess. 

Mr. Doolittle. Well, they are machines and I notice that ma- 
chines occasionally make messes. 

Ms. Simons. You know, sometimes you get what you pay for. You 
can buy printers that don’t jam. You can buy printers that don’t 
have privacy issues. This is not rocket science. These things exist 
now. These technologies exist now, and I think a question that we 
have to ask ourselves is how much are we willing to pay for our 
democracy, you know 

Mr. Doolittle. And our Republic. 

Ms. Simons. And our Republic; yes, thank you. 

Mr. Doolittle. Now I apologize, I should have been here, and 
I couldn’t be here earlier, so I missed the direct testimony. But I 
think Mr. Cunningham is from Allen County, right? But there was 
an incident in Cuyahoga County where there was a problem. 

I just wondered if you could tell us, Ms. Simons, do you think 
this evidence of compromise was compromised in the Cuyahoga re- 
count? 

Ms. Simons. Sir, that is what I was referring to, actually. 



163 


Mr. Doolittle. Oh, all right. Do you think the paper trail should 
have been used as the official ballot in that case? Because that is 
kind of 

Ms. Simons. Well, in that case it is a problem. It is a real prob- 
lem, just as the Carteret County failure is a real problem. We can 
see problems with the paperless systems and problems with the 
systems that have been retrofitted with WPATs. The underlying 
issue, which I believe everyone on this panel would agree on, is we 
need to have well-engineered, well-designed, robust systems. As 
Mr. Cunningham said, this is sort of like the Model-T. These are 
first generations and they are failing. That is not good. 

Mr. Doolittle. Well, I understand the Model-T analogy, but I 
don’t think the members of this committee and the Congress in 
general want to throw away hundreds of millions of dollars on the 
Model-T. 

Mr. Dickson, would you like to comment? 

Mr. Dickson. Yes. There were two points. The loss of votes is 
really, really, a terrible situation. 

Mr. Doolittle. Is what, sir? 

Mr. Dickson. The loss of any votes is really a terrible situation. 
Votes get lost on paper too. The Carteret County voting machine 
does not meet the current standards. If that county had purchased 
an accessible voting machine, built to the current standards, that 
problem would not have happened. 

Mr. Dickson. The Carteret machine, a little red light comes on 
with no words around, and it says, “This machine is full.” There 
was no explanation in the training for poll workers that said this 
red light means the machine is full. On the other machine, the ma- 
chine reads, “Screen full,” and will not accept new votes. 

Mr. Doolittle. Sir, you said — when are you talking about — are 
you talking about the one in Cuyahoga County? 

Mr. Dickson. Carteret County in North Carolina where votes 
were lost on a voting machine. That county administrator wanted 
to buy new accessible voting equipment, and the purchase of it was 
delayed because of the commotion about a paper trail. And the 
problem was created because of the delay. 

Mr. Doolittle. Well, I just wonder, in the Cuyahoga County 
case I understand that the paper trail, which I think Mr. Holt’s bill 
is going to be the thing we go by if there is a conflict — in that case 
the paper trail lost nearly 10 percent of the votes, so it doesn’t 
seem there would be real problems in that instance at least. Hope- 
fully that would be relatively rare, but in that instance if we went 
by the paper trail, as the bill called for, there would be problems. 

Ms. Simons. Actually, there were many problems in that county. I 
understand there were problems with the DREs; that the redun- 
dant memories did not match in about 26 percent of the cases. So 
if you are going to try to do a verification using the redundant 
memories, there can be issues. 

There were a great many problems, not just involving the 
WPATs. This just shows that we need to focus more on tech- 
nology, on policies and procedures. As Mr. Cunningham said, run- 
ning an election is a complicated thing, but just because there were 
problems involving one technology doesn’t mean that that tech- 
nology can’t be implemented correctly. Banks deal with money and 



164 


paper ballots all the time. Canada holds its Federal election with 
paper ballots, so does the U.K., and they manage. 

Mr. Doolittle. In this case the paper trail didn’t solve the prob- 
lem. 

Ms. Simons. Because it was badly engineered. 

Mr. Doolittle. The point is paper is not the ultimate solution. 

The Chairman. The gentleman’s time is expired. 

Mr. Brady, you are recognized for 5 minutes. 

Mr. Brady. We are going through as I speak in my city and 
county in Philadelphia a write-in candidate, as you had, and we are 
doing that as we speak. We are in court now because the candidate 
on the machine won. Then they had a paper they could write on, 
and they are counting the write-in ballots, and that person won, 
and they are going to decide it in court. So we at least had the op- 
portunity to do that. 

I heard you have ways of rectifying or double-checking votes by 
voting electronically and having a camera. A lot of people don’t 
have good faith in any kind of electronics, and what we are trying 
to do here is the right thing. We are trying to restore confidence 
and, most important, trying to restore trust back into our process, 
and we are trying to figure out the best way to do that. 

I understand there is a financial problem, and I understand 
there is always a financial issue, but like what you said, there is 
never enough money. You can always find some money to assure 
democracy, and I subscribe to that. 

Thank you, Mr. Chairman. 

The Chairman. Thank you. 

The Chair recognizes the gentlewoman from California Ms. 
Lofgren for five minutes. 

Ms. Lofgren. Thank you, Mr. Chairman. 

At the conclusion of my first set of questions, Mr. Shamos had 
described alternative ways to verify the vote. I am wondering if, 
Mr. Felten, do you have a comment on those proposals, and also 
Ms. Simons? 

Mr. Felten. If I recall correctly, he mentioned two mechanisms, 
one involving a second screen and a video camera. This seems to 
me more complicated, more expensive than a paper-based 
verification system and probably not any more trustworthy. 

He also mentioned parallel testing, which involves taking the 
machine aside and holding a simulated election. This is something 
we discussed in some detail in our research paper, and the bottom 
line is that that is a worthwhile mechanism, but it is not com- 
pletely effective, not 100 percent effective at the problem. It raises 
the bar, makes it more difficult to make a virus, for example, that 
will evade detection. We should do it, but we should not believe 
that it is going to entirely fix the problem. 

Ms. Simon. To pick up on Ed’s comments, the alternative device 
that Professor Shamos mentioned makes it very difficult to hold a 
recount. If you want to have public confidence in elections, one way 
in which you do that is by audits and recounts. I don’t know how 
you would audit that screen. It seems to me it would have the 
same problems as these long rolls of paper that Mr. Cunningham 
showed you, someone to sit in front and say, this one voted here, 
and this one voted there. 



165 


Ms. Lofgren. Mr. Smith, do you have a comment on it? I cut you 
off, Barbara. I didn’t mean to. 

Ms. Simons. May I finish? The best way to count things is the 
way you count money, you sort it into piles, and you count each 
pile, and that can be transparently and with a TV camera watching 
a count as a way in getting confidence in the results. 

Regarding parallel testing, I think we agree parallel testing is a 
good thing to do. But there is a big “what if,” and that “what if’ 
is: What if you find a problem with the parallel testing? Are you 
going to go back and rerun the election? As we saw in Carteret 
County, that raises enormous legal and technical problems. 

Ms. Lofgren. Mr. Smith. 

Mr. Smith. I would like to speak from the complexity of the oper- 
ation that you are trying to bring about. One of the things we have 
got in Georgia is a more simple format, I think, for running the 
election because we do not have voter-verifiable paper trail. One of 
the issues — I was actually charged with running the manual re- 
count, so I have some experience with that, too. I wanted to see it 
being done because it is being talked about in our State. 

One of the concerns I have, and I think we all should look back 
to, is who are the people putting this stuff into operation on elec- 
tion day? It is typical. We have done things, you see it. We have 
part-time people who are volunteers who really try to do things, 
but they have gotten up at 4:00 in the morning, 5:00 in the morn- 
ing. They have to open the machines up, do all the other things. 

In Ohio with the WPAT for Cuyahoga County, they had to do 
other things that we didn’t have to do. They go through the logic 
and accuracy testing essentially right there. They enter the ma- 
chines, they start them up, they do everything. They bring the 
memory cards. Part of the problem was the memory cards weren’t 
seated properly. That was a problem. But the other thing is they 
had to be responsible for these printers. In some cases they put the 
paper in backwards. 

Ms. Lofgren. Let me explore that, because I am taking as a 
given that we are not going to completely change the way America 
holds elections, I think that is true. And I can remember voting 
when I was still at my parents’ house, and you go down to the cor- 
ner, and Mrs. Lucky, who always ran it, and it is retirees and peo- 
ple that volunteer, and it is a wonderful thing, but that is the 
given. 

A lot of States have these verifiable systems, California among 
them. Ms. Simons, has any of them come up with a system that 
actually works better than that silly tape that we have seen? 

Ms. Simons. I think precinct-based optical scan systems are ex- 
cellent. That gives the voter a chance to check for overvotes and 
the absence votes. You put your ballot through the scanner, and it 
tells you if there is a problem with it. Recounts and audits are rel- 
atively easy. The voter verifies the ballot by definition, because the 
voter can look at it. 

There are ways for blind voters to verify an optical scanballot. 
One possibility is the use of a hand-held device that reads the bal- 
lot for a blind voter. We know that this technology exists. Another 
is to allow blind voters to use tactile ballots where they insert the 
blank ballot into a sleeve envelope that is marked. The sleeve has 



166 


holes that allow a blind voter to mark the ballots. There is also a 
system being marketed which allows a blind voter to verify his or 
her ballot with a vibrating device. 

Ms. Lofgren. I see my time has expired, but I would just like 
to note that I think we may have in the future some other way to 
verify, but I just ask Mr. Holt to put me on his bill because I think 
we need to have some in between on this. [Applause.] 

The Chairman. No demonstrations. 

I am now pleased to recognize Mr. Holt for five minutes. 

Mr. Holt. Thank you, Mr. Chairman. 

My questioning will be along a couple of lines. First of all, Mr. 
Shamos, I am sorry I didn’t have the exact transcript here, but said 
something or other you hate to see us outlaw an entire category of 
machines. This legislation doesn’t outlaw any particular kind of 
voting system except unverifiable ones. 

And you said further, I think, that scare tactics by a minority, 
you hate to see that disrupt the whole process. The Brennan Cen- 
ter for Justice of New York University Law School conducted a 
study with very distinguished people, Ron Rivest from MIT, How- 
ard Schmidt, an administration and corporate security expert, and 
a number of others; and said it found, quote, all three major types 
of voting systems have significant security and reliability 
vulnerabilities that pose a real danger to the integrity of national. 
State and local elections. 

The League of Women Voters, not a scary minority, says they 
support, quote, only voting systems that are designed so that they 
employ a voter-verifiable paper ballot or other paper record, said 
paper being the official record of the voter’s intent. 

The report of the Carter-Baker Commission similarly called for 
a voter-verified paper record, random audits and so forth. 

Mr. Chairman, I would like to ask that the Brennan Center re- 
port, the statement of the National League of Women Voters and 
the Carter-Baker report be made a part of the record. 

The Chairman. Without objection, so ordered. 

Mr. Holt. Thank you. I want to make the point that a number 
of organizations, very responsible organizations with computer sci- 
entists involved and so forth, have taken a look at this matter, and 
we would do well to take a look at that. 

Ms. Simons, I would appreciate it if you would say a little bit 
more about ACM and the subcommittee that is looking at this. 

Then also what I would like the witnesses to comment on, as Mr. 
Dickson recounts and Mr. Smith and others, votes can be lost in 
a lot of ways. They can be lost through manipulating the registra- 
tion list, intimidating voters. There are a lot of things that we need 
to address: Restricting accessibility at polling places or in the poll- 
ing booth; memory cards may not be seated properly; we may not 
recognize that the memory is full before election day is over; and 
paper records, Mr. Doolittle, might be illegible or torn or otherwise 
difficult to use. But it has been determined at least as often that 
redundant electronic memories show that there are problems with 
purely electronic memory. 

So what I would like to ask of the witnesses is would you prefer 
to have a system where there is no possible way of recovering what 
happened, in other words, where the electronic vote, for whatever 



167 


reason, a poorly seated memory card or something else, is wrong, 
and there is no possible way of recovering it; or, as Ms. Simons 
points out, a well-designed system with a paper audit trail where 
there is at least a reasonable chance of being able to recapture, re- 
cover what the voters’ intentions were? 

So I would be happy to have a quick comment from the wit- 
nesses, beginning with Ms. Simons. 

Ms. Simons. You asked me about ACM. It is an 80,000-member 
professional society of computer professionals. Like the APS, (the 
American Physical Society), the ACM is the premier computing so- 
ciety, I would say, in this country. 

The statement that I referred to, which is in my written testi- 
mony, was voted on by ACM Council, which is the elected policy 
making body of ACM. But they did something unusual, not typical 
for ACM. The statement was put on the Web site for members to 
vote on. Of those who voted, 95 percent supported the statement. 
Of the 5 percent who did not support the statement, roughly half, 
based on written comments, objected to the fact that it wasn’t 
broad enough, that it didn’t discuss usability issues as well. 

So I would say obviously you never get 100 percent agreement, 
but in this case we are pretty close to consensus, at least within 
ACM. 

The Chairman. The gentleman’s time has expired. Make brief 
comments, please. Mr. Shamos, first. 

Mr. Shamos. I want to respond to a couple of things. I actually 
didn’t make a comment about scare tactics, although I believe there 
was another member of the panel that did. I just said I don’t think 
we should appeal to emotion on this issue. 

I agree that H.R. 550 does not expressly outlaw any particular 
type of voting equipment. My point was that the practical effect of 
it is that it outlaws DRE machines, and the reason it outlaws DRE 
machines is there is no current machine on the market that meets 
the requirement of the bill and that is usable in individual States 
along with their requirements. 

For example, in Pennsylvania there is popular call for a paper 
trail machine. Four vendors have come to Pennsylvania with their 
paper trail machine. Not a single one has been able to simulta- 
neously offer a paper trail and meet Pennsylvania’s statutory and 
constitutional requirements. So we can’t have one even if we want 
one. The technology is just not there yet. 

The Chairman. I think Mr. Felten had a comment. 

Mr. Felten. The key issue, I think, is resiliency; things go 
wrong, people make mistakes, and we need to have a system we 
can trust even when things do go wrong. The combination of paper 
plus electronic record is more resilient than either one would be 
alone, and that, I think, is the strongest argument for having a 
paper-based verification system. 

Mr. Ehlers. I think Mr. Cunningham has the last answer. 

Mr. Cunningham. I just wanted to make the point to everybody 
that my experience is most votes are lost due to voter error, not 
machine error, not election official error. I don’t know if you looked 
at my resume, but I have about 20 years in the printing business, 
and I have been around a lot of printing machines and copy ma- 



168 


chines, and I can assure you anything you put paper through will 
jam at some point in time. 

E-voting, I want to say to you, I truly believe that in the long- 
term interest of this country — we are still voting the same way we 
did 150 years ago, as you mentioned, Ms. Lofgren, down to your lit- 
tle poll at the corner and precinct. Our society has changed. It is 
mobile, moving. The ability to incorporate the vote centers as Scott 
Doyle in Colorado has been working with as a convenience to vot- 
ers, those types of concepts are based on electronic voting. 

Let’s not throw the baby out with the bath water here. I think, 
Mr. Brady, what is doing more damage to voter confidence, quite 
frankly, is people like your distinguished colleague Mr. Conyers 
publishing reports about the election in Ohio that are factless and 
baseless; none of the accusations have been proved. 

We have got to quit this. We have got to get this conversation 
back to an honest debate about, as I think the whole panel has 
said, how do we work together and move this thing forward and 
quit this sky is falling kind of thing. I think elections, because 
given the magnitude of them — and I have seen now 9 years’ worth 
of them, two Presidential, couple of gubernatorials — given what 
could happen and the magnitude of the task, they are running 
pretty darn good in this country, and I know people all over the 
country like myself and Mr. Smith that are darn proud they are 
involved in it. And the net effect is we are going to begin to drive 
those people out of this, which is going to make the system more 
vulnerable than you ever imagined. 

Ms. Millender-McDonald. Mr. Cunningham, I sure hope that 
is accurate, what you have said, because the voter is not there yet. 
Even though you folks are and your experts, the voter is not there 
yet. And that is the ultimate one that we must bring trust, security 
to bear. 

I would like for you to get for me whatever documentation you 
have that suggests voter error is more than a paper error. If you 
have that type of verification of that statement you made, I would 
like to have it. 

Mr. Cunningham. My point was that most voting error is voter 
error. 

The Chairman. I thank you for your comments. That is a good 
wrap-up. We are going to have votes in just a few moments, and 
I would just like to make a few closing comments. 

Eirst of all, I thank each and every one of you for being here in 
the audience as well as at the witness table. You have contributed 
immensely to this very important issue. 

There is our votes. 

I recognize very clearly, since I have served at the local level, the 
state legislature and now here, that the states have an important 
role, local governments have an important role, and the federal 
government has an important role. 

We often say here that the states are the experimental apparatus 
that tests ideas, and then the federal government should select 
from the best of what the states have discovered. We did not take 
the time to do that in HAVA, and I think that was a mistake. We 
also did not take the time to first set the standards clearly and 
then allow manufacturers to develop equipment to meet those 



169 


standards. And I think that was a fatal flaw which has, I believe, 
created much of the uncertainty that we have. 

I agree totally with the statement someone made: Never buy the 
first model of anything. I bought the first model of one automobile 
just because it precisely fit my needs, it was a good manufacturer; 
a bad mistake, and I was frankly relieved when the car eventually 
got totaled and I got the insurance value because I probably could 
never have sold it. 

We have to recognize that there is a lot of work to be done here 
yet, and the American public’s confidence will return because we 
will build a better system. 

Finally, I want to comment that I always look at two aspects 
here. We want to assure every voter that their vote will be counted, 
be counted accurately, and that the system will work that way. 
There is a second factor we must remember, and that gets back to 
the viruses and other issues. We also have to assure every voter 
that not only will the vote be counted, but it will not be negated 
or diluted by other people voting fraudulently or performing fraud- 
ulent acts such as viruses, throwing ballot boxes away and so forth. 
I want to make sure every voter is assured of both of those — an ac- 
curate count of their vote and an assurance that no one else is 
going to negate it through illegal activity. 

So I am concentrating on those two not just in this particular 
issue, but in other issues such as the photo ID bill that we passed 
through the House a week ago, which I think will also help. 

Thank you very, very much. You have been an outstanding 
panel. I appreciate all that you have done. We do have to go vote, 
and I have a few things to read here. I ask unanimous consent that 
Members and witnesses have seven calendar days to submit mate- 
rial for the record, including additional questions of the witnesses, 
and for those statements and materials to be entered into the ap- 
propriate place in the record. And I assume if we send you written 
questions, you will respond to those. 

Without objection the material will be so entered. 

The Chairman. I ask unanimous consent that staff be authorized 
to make technical and conforming changes on all matters consid- 
ered by the committee at today’s hearing. Without objection, so or- 
dered. 

Ms. Millender-McDonald. 

Ms. Millender-McDonald. I just wanted to concur with you. I 
have served on the local. State and Federal level, and I do think 
that we need to revisit HAVA because it was more or less geared 
for the Federal. And we appreciate all of those who have come 
today, those who serve on both the local. State and Federal. Thank 
you, Mr. Chairman. 

The Chairman. Thank you. 

Having completed our business for today and for this hearing, 
the committee is hereby adjourned. 

[Whereupon, at 12:23 p.m., the committee was adjourned.] 



170 



Resolution adopted by the League of Women Voters of the United States 2006 
National Convention. 

Whereas: Some LWVs have had difficulty applying the SARA Resolution 
(Secure, Accurate, Recountable and Accessible) passed at the last Convention, 
and 

Whereas; Paperless electronic voting systems are not inherently secure, can 
malfunction, and do not provide a recountable audit trail, 

Therefore be it resolved that: 

The position on the Citizens' Right to Vote be interpreted to affirm that LWVUS 
supports only voting systems that are designed so that; 

[| they employ a voter-verifiable paper ballot or other paper record, said paper being 
the official record of the voter’s intent; and 

3 the voter can verify, either by eye or with the aid of suitable devices for those who 
have impaired vision, that the paper ballot/record accurately reflects his or her 
intent; and 

Q such verification takes place while the voter is still in the process of voting; and 

H the paper ballot/record is used for audits and recounts; and 

3 the vote totals can be verified by an independent hand count of the paper 
ballot/record; and 

9 routine audits of the paper ballot/record in randomly selected precincts can be 
conducted in every election, and the results published by the jurisdiction. 


Affiliated with the Leagues of Women Voters of Pennsylvania and the United States 


171 



Building Confidence 


Elections 








172 



1I=M Building Confidence in U.S. Elections 

REPORT OF THE COMMISSION ON FEDERAL ELECTION REFORM 

SEPTEMBER 2005 


ORGANIZED BY 

Center for Democracy and Election Management 
American University 

SUPPORTED BY 

Carnegie Corporation of New York 
The Ford Foundation 
John S. and James L. Knight Foundation 
Omidyar Network 


RESEARCH BY 

Electionline.org/The Pew Charitable Trusts 



173 



Letter from the Co-Chairs u 

Preface by the Executive Director - -- m 

Executive Summary^...— - « 

1: Goals and Challenges of Election Reform - i 

1.1 Heip America Vote Act; Strengths and z 

Limitations 

1.2 Learning from the World.... 5 

1.3 Transforming the Electoral System 6 

Five Pillars 

1.4 Urgency of Reform 7 

2: Voter Registration and Identification 9 

2.1 Uniformity Within States -Top-Down lo 

Registration Systems 

2.2 Interoperability Among States 12 

2.3 Provisional Ballots 15 

2.4 Communicating Registration Information- I6 

2.5 Voter Identification 18 

2.6 Quality In Voter Registration Lists 22 

3i Voting Technology, 25 

3.1 Voting Machines 25 

3.2 Audits 28 

3.3 Security for Voting Systems 28 

3.4 Internet Voting , ... 32 

4! Expanding Access to Elections . . . 33 

4.1 Assured Access to Elections 33 

4.2 Vote by Mail-.- ... 35 

4.3 Vote Centers 3t, 

4.4 Military and Overseas Voting 37 

4.5 Access for Voters with Disabilities 39 

4.6 Re-Enfranchisement of Ex-Felons. 40 

4.7 Voter and Civic Education 4i 


5: Improving Ballot Integrity 45 

5.1 Investigation and Prosecution of Election 45 

Fraud 

5.2 Absentee Ballot and Voter Registration Fraud .. 46 

6; Election Administration. 49 

6.1 Institutions. , 49 

6.2 Poll Worker Recruitment - 54 

6.3 Polling Station Operations 56 

6.4 Research on Election Management... 57 

6.5 Cost of Elections 59 

7: Responsibie Media Coverage 61 

7.1 Media Access for Candidates 6i 

7.2 Media Pro/ections of Election Results... 62 

8: Election Observation ... 65 

9: Presidential Primaryand Post-Election Schedules.. 67 

9.1 Presidential Primary Schedule 67 

9.2 Post-Election Timeline 68 

Conclusion _ _ 69 

Appendix . _ 71 

Estimated Costs of Recommended Improvements 

Endnotes . 72 

Summary of Recommendations 79 

Additional Statements . . 88 

About the Commission on Federal Election Reform 92 





174 


LETTER FROM THE CO-CHAIRS 


Elections are the heart of detnocracy. They aa the m^rament for Ac people to choose leaders and 
hold them accountable. At the same time, decdons are a core public function upon which all 
other government responsibilities dq>«Kt If Actions arc ddeedve, Ac entire democratic system 
is at risk. 

Americans arc losing confidence in the fairness of dations, and while we do not face a crisis today, 
we need to address Ae problems of chit electoral g^em. 

Our Commission on Federal Election Reform was forn^ «> rccommend ways to raise confidence 
in the electoral system. Many Americans Aou^t that one report — the Carter-Ford 
Commission — and one law — - the Help America ^te Act of 2002 (HAVA) — would be 
enou^ to fix Ae system. It isn’t. In this report, we sak to build on Ae historic achievement of 
HAVA and put forward a bold set of proposals to modanize our dectorai system. 

Some Americans will prefer some of our proposals to oAets. Indeed, while all of the Commission 
members endorse Ae judgments and general polky thrust of the report in its entirety, they do not 
necessarily support every word and recommendation. Benefitting from Commission members 
wiA Averse perspcaii^, we have proposed, for example, a formula for transcending the sterile 
debate between integrity and access. Twenty-four stat« now require identification for voters, wi A 
some systems likely to restria registration. Wc are rccommenAng a photo ID system for voters 
designed to increase registration wiA a more affirmative and a^resstve role for states in finding 
new voters and providing free IDs for Aose without driver’s licenses. The formula we 
recommend will result in both more integrity and more access. A few of our members have 
expressed an aUetnarive view of Ais issue. 

Still, our entire Commission is united in the view that electoral reform is essential and Aat our 
recommended package of proposals represents the best way to modernize our electoral system. We 
urge ail Americans, including Ae Ic^slaiive and executive branches ofgjvernmcni at all levels, to 
recognize the urgency of election reform and to seriously consider Ae comprehensive approach 
outlined herein. 

We present Ais report because we believe the time for acting to improve our eleaion system is now. 




y at. 
Jimmy Carter 




James A Baker, III 
Co-Chain the Commission on Federal Eleaion Reform 


Report of the Commission on Federal Election Reform 



175 


PREFACE BY THE EXECUTIVE DIRECTOR 

Polls indicate chat many Americans iadc confidence in the electoral system, but the political parties 
are so divided that serious electoral refonn is unlikely wdiout a strong bipartisan voice. Our 
country therefore owes a great dd>t to former President Jimmy Carter and former Secretary of 
State James A. Baker, 111 for Irading this Commi^iim and forging a plan for election reform. 

To build confidence, the Commission recommends a modem electoral system built on five pillars: 
(1) a universal and up-to-date regist^fion list, accesuble to the public; (2) a uniform voter 
identification system that is implemented in a vray that increases, not impedes, panicipation; (3) 
measures to enhance ballot integriiy and wter acc«$; (4) a voter-verifiable paper trail and 
improved security of voting systems; and (5) decroral institutions that arc impartial, professional, 
and independent. Democrats, Republicans, and fockpendents tend to prefer different elements of 
this package, but President Carter and Secretary Baker drew strength rather than stalemate from 
the diverse perspectives in fashioning an ^proach that is greater than the sum of these parts. 

Our Commission was fortunate to have an outstanding scafrand academic advisors, and we have 
benefited from advice by Members of Congress and staff) election officials, and representatives of 
a wide range of non-governmental organizations des'Oted to improving our democracy. See our 
website for a list of advisors and the studies and testimony: www.amcrican.edu/Cartcr-Baker. 

We acknowledge the suppon of many at the end of this report, but let me identify here a few 
people whose svork was crucial to die Commission: Daniel Calingacrt. the Associate Director of 
American University’s Center for Democracy and Election Management, Doug Chapin of 
Electioniine.oig. John Williams, Senior Advisor to Secretary Baker, Kay Stimson, Media Liaison, 
and Murray Gormiy, Administrative Coordinator. The Commission was oiganizcd by American 
University’s Center for Democracy and Election Management. We are also grateful to the James 
A. Baker III Institute for Public Policy of Rice University and The Carrer Center for hosting the 
other two meetings. 

Finally, the Commission could nor have accomplished its goal without the generosity of its funders 
and the advice and support of the following individuals: Geri Mannion of the Carnegie 
Corporation; Thomasina Williams of the Ford Foundation: Julie Kohler of the John S. and James 
L. Knight Foundation: Dena Jones of Omidyar Network, and TTie Pew Charitable Trusts. 

At AU’s Center for Democracy and Election Management, we view this Commission as a major 
step coward developing the educational foundation for students, professionals, and the public to 
deepen our understanding of democracy and eleaions in the United States and the world. 

Robert A. Pastor, 

Executive Director 


BoiiUing Conficience in U.S. Elections 



176 


EXECUTIVE SUMMARY 

Building confidence in U.S. cleaions is centra! to our narions democxacy. At a time when there is 
growing skepticism with our electoral system, the Conunission believes that a bold new j^proach 
is essential. The Commission envisitHis a system that makes Americans proud of themselves as 
citizens and of democracy in the Unital States. We should have an electoral ^tem where 
registering to vote is convenient, voting is effident and pleasant, voting machines work properly, 
fraud is deterred, and disputes are handled faiify and expeditiously. 

This report represents a comprehensiw proposal for modernizing our electoral system. We propose 
to construct the new edifice for decrioris on five pillars: 

First, we propose a universal voter registration ^^srem in which the states, not local jurisdiction.?, 
are responsible for the accuracy and quality of the voter lists. Addictonally, we propose that the U.S. 
Dection Assistance Commission (EAC) develop a mechanism to connect all states' list. These top- 
down and interoperable registration lists will, if implemented successfully, eliminate tlie vast 
majority of complaints cuirendy leveled against the election system. States will retain control over 
their registration list, but a distributed database can remove inretsraie duplicates and help states to 
maintain an up-to-date, folly accurate registration list, ntis would mean people would need to 
r<^ister only once in their lifetime, and it would be ea^ to update their registration information 
when they move. We also propose that all states establish uniform procedures for counting 
provisional ballots, and many members recommend that the ballots should be counted if the 
citizen has voted in the correct jurisdiaion. 

Second, to make sure that a person arriving at a polling site is the same one «^o is named on the 
list, we propose a uniform system of voter identification based on the "REAL ID card” or an 
equivalent for people without a drivers license. To prevent the ID from being a barrier to voting, 
we recommend that states use the registration and ID process to enfranchise more voters than ever. 
States should play an affirmative role in reaching out to non-drivers by providing more offices, 
including mobile ones, to register voters and provide photo IDs free of charge. There is likely to 
be less discrimination against minorities if there is a single, uniform ID, than if poll workers can 
apply multiple standards. In addition, we suggest procedural and imcituiionai safeguards to make 
sure that the righu of citizens are not abused and that voters will nor be disenfranchised because 
of an ID requirement. We also propose that voters who do not have a photo ID during a 
transitional period receive a provisional ballot that would be counted if their signature is verified. 

Third, we propose measures that will increase voting participation by hawng the states assume 
greater responsibility to roister citizens, make voting more convenient, and offer more 
information on registration li«s and voting. States shoidd allow experimentation with voting 
centers. Wc propose ways to facilitate voting by overseas military and civilians and ways to make 
sure chat people with disabilities have foJl access to voting. In addition, we ask the states to allow 
for restoration of voting rights for ex-felons (ocher than individuals convicted of capital crimes or 
registered sex offenders) when dicy have fully served their senieno:. We also identify several voter 
and civic education programs that could increase participation and ttiform voters, for example, by 
providing information on candidates and the voting process to citizens before the election. States 
and local jurisdictions should use Wirf> sites, toli-frce numbers, and ocher means to inform citizens 
about their regi.stration status and the locarion of their precinct. 


Report of the Commission on Fedwa! Election Retetn 



177 


To improve bailor inregrity, we propose that federal, stare, and local prosecutors issue public 
reports on their investigations of el«:Tion feaud, ai«l vre f«X)mmcnd federal l^islation to deter or 
prosecute systemic efforts to decdw or intimidate voters. States should not discourage legal voter 
registration or get-out-the-votc ^:tiviDes, but they need to do mote to prevent voter registration 
and absentee ballot fraud. 

Fourth, we propose ways to giw amfidencs to vorets using electronic voting machines that their 
votes will be counted accurately. We caU for an auditable backup on paper at this time, but we 
recognize the possibility of alternative technoio^es to audit those machines in the future. We 
encourage independent testing of voting ^ttms (to include voting machines and software source 
code) under EAC superviaon. 

Finally, we recommend strengthening and restructuring the system by which elections have been 
administered in our country. We propose that die EAC and stare election management bodies be 
reconstituted on a nonpartisan basis to become more independ«it and effective. We cannot build 
confidence in elections if secretaries of srate responsible for cerdlying votes are simultaneously 
chairing political campaigns, and the EAC cannot undertake the additional responsibilities 
recommended by this report, including critical research, without gaining additional funds and 
support. Polling stations should be oi^izcd to reduce the chances of long lines; they should 
maintain “log-books” on Hcction Day to record complaints; and they need clearonic poli-boob 
to help voters find their correa precinct. HAVA should be fully funded and implemented by 2006. 

The C/jmmission puts forward 87 specific recommendations. Here are a few of the otheis: 

• We propose chat the media improve coverage of elections by providing at least five 
minutes of candidate discourse every ni^t in the month preceding theeleaion. 

• We ask news organizations to voluntarily refrain from projecting presidential 
election results until polls close in the 48 contiguous states. 

♦We request that all of the states provide unrestricted access to all legitimate 
domestic and international election observers, as we insist of other countries, but 
only one state curtendy permits; and 

• We propose ch^ging the presidential primar}' schedule by creating four regional 
primaries. 

Eleaion reform is neither easy nor inexpensive. Nor can wc succeed if we think of providing funds 
on a one-time basis. We need to view the administration of elections a.s a continuing challenge, 
which requires the hipest priority of our citizens and our government. 


SuiWing Confidence in U.S. Efeettons 



178 



AMBRKIAN L'N 1 VFRSrn 

COMMISSION on 

Federal Election Ri :v < 

M 

CtofTER y&rDEMOCRACY«S>'ELECnONMAS \< .!■ VI- 




179 


1. Goals and Challenges of Election Reform 

Tile vigor of American democray reas on the vote of each citizen. Only when citizens can 
freely and privately exercise thdr ri^t to vote arel have their vote recorded correctly can 
they hold their leadas aoountaUe. Democracy is endangered when people believe that 
their votes do not manec or are not cminced orrecriy. 

Much has happened since November 2000, when many Americans first recognized 
that their electoral system had serious problems with flawed voter registration lists, 
obsolete voting machines, poorly designed ballots, and inadequate procedures for 
interpreting disputed vot«. Congress and the President, Democrats and Republicans, 
responded with a truly htsroric initiative - the Help America Voce Act of 2002 
(HAVA), the first comprehensive federal law in our nation’s history on electoral 
administrarion. The law represents a agnificant step forward, but it fells short of fully 
modernizing our electoral system. 

On the eve of the November 2004 de:cion, a New York Times poll reported chat only one- 
third of the American people said that they had a lot of confidence that their votes would 
be counted properly, and 29 percent said they w«e very or somewhat concerned that they 
would encounter pr<d)iems at the polls. Aware of this unease, die U.S. Department of 
Justice deployed 1.090 dcaion observers — more than three rimes the number sent in 
2000.' After the ckabn, a minority of Americaas — only 48 percent — said they were 
very confident that the votes cast across the country were accurately counted, according to 
a Pew Research Center survey. Thirty-seven percent had doubts (somewhat confident), and 
14 percent were not confident that the votes were aanirately counted.'' 

With a strong deire to contribute to building confidence 
in our electoral process, this Commission came together 
to analyze the state of the electoral sysiwn. to assess 
HAVA’s implementation, and to offer recommendations 
for further improvement. Public confidence in the 
cleaoral system is critical for our nations democracy. 

Little can undermine democracy more than a widespread 
belief among the people that elections arc neither feir nor 
legitimate. We believe that further important 
improvemenB are necessary to remove any doubts about 
the electoral process and to help Americans look upon the 
process of casting their ballot as an inspiring experience — 
not an ordeal. 

We address this report to the American people and to 
the President, Congre.ss, U.S. Election Assistance 
Commission, states, election administrators, and the 
media. Our recommendations aim both to increase 
voter participation and to assure die int^ity of the electoral system. To achieve those 
goals, we need an accurate list of registered voters, adequate voter identification, voting 
technology that precisely records and tabulates votes and is subject to verification, and 
capable, feir, and nonpartisan elcaion administration. 



Buildirtg Confidence in U.S. Hiections 


180 


While each state will retain Bindamental control over its electoral system, the feder^ 
government should seek to ensure that all quaUfied vokts have an equal oppormnity to 
exercise their right to vote. This wdll require ^eat» uniftmTuty of some voting requirements 
and registration lists that are accurate and comjpatibfe among states. Greater uniformity is 
also needed within states on soirre voting tides and piocedures. The federal government 
should fltnd research and development of voting rechnology that will make the counting 
of votes more transparent, accurate, andt^riB^le. 


1.1 HELP AMERICA VOTE ACT: STRENGTHS AND LIMITATIONS 

The Help America Vote Aa of 2002 (HAVA) esoliiyied numerous federal requirements 
for state and local election adminisiratkKi in exchat^e for a promise of $3.97 billion in 
federal funding, of which approximately $3.1 billion has b«n appropriated to date. These 
requtremaiQ reBected a national consensus on the 
general outline of reform, best represented by the 2001 
rqx>rt of the National Commission on Federal Election 
Reform, oxhaircd by former Presidents Jimmy Carter 
and Gerald Ford. HAVAs mandates were adopted as part 
of a compromise between the parties on the divisive issue 
of access to the ballot (latgdy championed by Democrats 
and their allies) versus protccring the integrity of the 
eleaoral process (generally favored by Republicans and 
their supporrere). 

Under this compromise, described by its .sponsors as 
mdting it “easier K) vote and harder to cheat," HAVA 
sought to lower barriers to voring while establishing 
somewhat tighter controls on registration atid voter 
identification. Consequendy, HAVA’s mandates focused 
on four major requirements: (I) statewide computerized 
voter lists; (2) voter ID for individuals who register by mail but do not provide it when 
registering; (3) provisional ballots for voters whose names are missing from the registration 
roils on Election Day, and (4) measures to make voting more accessible for voters with 
disabilities. The main provisions of HAVA are as follows: 

• Voter registration lists, which were typically maintained at the local level, 
are now being consolidated into statewide voter databases. 

• All states are required to provide provisional ballots on Election Day to ddiens 
who believe they are registered but whose names do not appear on the 
regi.stfation lists. 

• HAVA provides federal funding — for the fine time — to create statewide 
voter databases and to replace old voting machines. 

• All voting systems used in federal eleaions are required to meet minimum 
standards for voter verification of ballots, accessibility for voters with 
disabilities and langu:^e minorities, notification of over-votes, and 
auditing procedures. 



Report of the Commission on Fecferal Election Reform 


181 



HAVA calls for the testing and certification of voting systems as a way to 
make sure they operate properly on Election Day. 


The U.S. Elcaion Assistance Commission (EAQ wa.s created to disburse 
federal fimds. develop guidelines for voting systems, serve as a 
clearinghouse of information to improve election administration 
throughout the country, and study and report on how to make elections 
more accessible and accurate. 


Under HAVA, states are required to complete their statewide voter databases by January 1, 
2006, and some expenditures of HAVA funds will extend well beyond that date. Our 
Commission therefore csdis for full implementation and full funding of HAVA, 


The first presidential election after HAVA became law — on November 2, 2004 — 
broi^ht to light as many problems as in 2000, if not more. HAVA, which will take years 
to be fully implemented, was not responsible for most of the complaints. Instead, voters 
were discouraged or prevented from voting by the failure of election offices to process voter 
registration applications or to mail absentee ballots in time, and by the poor service and 
long lines at polling sutions in a number of stsucs. There were also reports of improper 
requests for voter ID and of voter intimidation and suppression tactics. Concerns were 
raised about partisan purges of voter registration lists and about deliberate failures to deliver 
voter registration applications to eleaion authorities. Moreover, computer malfunctions 
impugned elecuon results for at least one race, and different procedures for counting 
provisional ballots within and between states led to le^ challenges and political protests. 
Had the margin of victory for the presidential contest been narrower, the lengthy dispure 
that followed the 2(H)0 eleaion could hare been repeated. 


Building Confidence in U.S. Elections 


182 


The November 2004 elections also showed that irr^idarities and fraud still occur. In 
Washington, for example. wh«e ChristiiK Gregoire tras elected governor by a 129-vote 
margin, the elections superintendent of Kii^ County lesnfied during a subsequent 
unsuccessftil election chsdienge dial indi^ble ex-felons had voted and that votes had been 
cast in the names of the dead. Howeva; the jut^e accepted Grc^ire’s victory because with 
the exception of four ex-fefons who Emitted to voting for Dino Rossi, the authorities could 
not determine for whom the other ill^a! TOtes were cast. In Milwaukee, Wisconsin, 
investigators said they found dear evidence erf" feaud, including more than 200 cases of 
feJoas voting ill^lly and mote than 100 people who voted 
twice, used feke names or false addresses, or voted in the name 
of a dead person. Moreowr, there were 4,500 more votes case 
dian voters listed.* One potential source of election fraud arises 
from inactive or ind^^le voters left on voter registration lists. 
By one estinrate, (or example, there were over 1 8 1 ,000 dead 
{»5ple listed on the voter rolls in sLx swing states in die 
November 2004 elections, including almost 65,000 dead 
people listed on the voter tolls in Florida.^ 

Some of these problems may be addressed by the full 
implementation of HAVA, but it is clear that others will not. 
Due to vague mandates on provisional voting and 
identification cards, counties and states applied different 
standards. This led to a s%nificant proliferation of legal 
challenges. A closet presidetitial election likely would have 
brought an avalanche of litigation. HAVA docs not address interoperable registration lists 
among states, and it is also vague as to whether states should aeaie a top-down, state- 
controlled registration list or a bottom-up list controlled by local election administrators. 
The weak structure of the U.S. Election Assistance Commission, a product of a HAVA 
compromise, has stymied its ability to be clear or authoritative on almost any subject, 
even on whether to verify electronic machine votes with paper ballots. Thus, there is a 
compelling need for further election reform that builds on HAVA. 

One of the most important laws on the right of Americans to vote b the Voting Rights 
Act of 1965. Key provisions of the Act are due to expire in 2007, These include the 
language provision (Section 203), which requires jurisdictions to provide voting 
materials in minority languages in areas where language minority groups make up a 
significant portion of the population, and the pre-clearance provision (Section 5). which 
requires federal pre-clearance for all changes to voting rules or procedures made by 
specified jurisdictions with a history of voter discrimination. Our Commission believes 
this Act is of the utmost importance. 


Recommendations on the Help America Vote Act and the Voting Rights Act 

1.1.1 The Help America Vote Act should be fully implemented fay 2006, as mandated by the 
law, and fully funded. 

1.1.2 The Commission urges that the Voting Rights Act be vigorously enforced and that 
Congress and the President seriously consider reauthorizing those provisions of the Act 
that are due to expire in 2007. 


lllllll Report of the Canmission on Federal Election Rerorin 






183 


1.2 LEARNING FROM THE WORLD 

In its deliberations, our Coramisskm considered die best practices of election systems 
around the worid. Many other democracies adikw significantly higher levels ot voter 
participation due, in part, k> more eflfcaive r^istration. Election authorities take the 
initiative to contaa and i^jaer voters and condua audits ofvorer registration lists to assure 
that they are accurate. In addition. vot« r^stration in nuny countries is often tied directly 
to a voter ID, so that vorer identification can enhance bailor integrit)'^ without raising 
barriers to voting. VtMets in nearly 100 danocracies use a photo identification card without 
fear of infringement on thdr ri^ts.- 

Nonjiartisan election administration has ala> proved effective abroad. Over die past three 
decades, election management iiBOtutions have evolved in many other democracies. 
Governments had previoiufy conducted dections, bur as concern was raised that they 
might give advantage to incumbents, independent election commissions were formed. 
Initially, elcaion commissioners in otho- countries frequently represented political parties, 
but they often stalemated or reached agreement with each other at the publics expense. 
This explains why the trend in the world is tovrard independent election commissions 
composed of nonpanlsan officials, who serve like judges, independently of the executive or 
i^isiiitivc branches {see Table 3 on p^c 52). Polirical representatives can observe 
deliberations on these commissions but not vote on decisions. Nonpartisan eleaion 
officials are generally regarded as feir arbiters of the electoral process who make their best 
efforts to administer elections impartially and effectively. 




184 


1.3 TRANSFORMING THE ELECTORAL SYSTEM - FIVE PILLARS 

The recommendations of our Conunission on Federal Eleaion Reform aim both to 
increase voter participation and to assure the integrity of the electoral system. To 
accomplish these goals, the electoral sy^em we ennsion riiouid be constructed on the 
following five sturdy pillars: 

Voter registration that is conwnient for vmers to cotnplerc and even simpler 
to renew and that produces complete, suxurate, and valid lists of citizens 
who are eligible to votc; 

Voter identification, tied direedy to voter re^tracion, that enhances ballot 
l_ integrity without introdudi^ new barriers to voting, including the casting 
and counting of balbts; 

= Measures to encourr^e and achieve the gyeacesc possible participation in 
jjj| elections by enablii^ all eligible voters to have an equal of^ormnity to vote 
and have their votes counted; 

Voting machines that tabulate voter preferences accurately and transparently, 
i|;! tninimize under- and over-vot», and allow for verifiability and full recounts: 

.ind 

Fair, impartial imd effective eleaion adminbtration. 


An electoral system built on these pillars will give confidence to all citizens and will 
contribute w high voter participation. The electoral system should also be designed to 
reduce the possibility or opportunity for litigation before, and especially after, an 
election. Citizens should be confident that the results of the election reflect their 
decision, not a litigated outcome determined by lawyers and 
judges. This is achieved by clear and unambiguous rules for 
the conduct of the election established well in advance of 
Election Day. 

The ultimate test of an election system is its ability to 
withstand intense public scrutiny during a very close 
election. Several close elections have taken place in recent 
years, and our election system has not always passed that test. 
We need a better election system. 


1111112 Report of ttie Commissiwi on Federal Election Refom 



185 


1.4 URGEKCY OF REFORM 

Although the public continues k> call for election reform, and several election bills have 
been introduced, die i«ue is low on die Coi^jesss agenda at this time. Some congressional 
leaders belie\'e that further reform diould irait until HAVA is folly implemented. We 
believe that the need for additional dectoral reform is abundantly clear, and our 
recommendations will bolster HAVA to fotther screngdien public oanfidence in the 
electoral process. If we wait until late 2006, we wUI lose the opportunity to put new reforms 
in place for the 2008 elections, and as a tesul^ the next presidential eleaion could be 
fraught with prcfolems. Electoral reform may stay out of public view until the 2006 
elections b^in to approadi, but diat rime, it may be too bee. We need Congress to press 
ahead with election reform now. Iruleed, election reform b best accomplished when it is 
undertaken before the passions of a ^lecific dection cycle begin. 

We are Republicans, Democrats, and Indqwndents. But we have deliberately attempted to 
address electoral issues without adung the que^ion as k> whether a particular political party 
would benefit frona a particubr reform. We have done so because our country needs a dear 
unified voice calling for serioits d&mon reform. Cor^ress 
has Ixsn relucumt to undertake reform, tn part because 
members fear it could affect their chances of re-election 
and, when finally pressed by the public. Democrats and 
Republicans have addressed each reform by first asking 
whether it would help or harm each party’s poUcical 
prospects, TTiis has proven to be not onl)' a shorts^hted 
but also a mistaken a{^roach. Despite widespread belief 
that two recent reforms — the National Voter 
Registration Act of 1993 and the Bipartisan Campai^ 

Finance Reform of 2002 — would advantage DcmoctaB 
at the expense of Republicans, evidence suggests such 
belief? were wrong. Having a lair dectoral process in 
which all eligible citizens have an opportunity to 
participate freely is a goal that transcends any individual 
parti.san interest. This assures the winning candidates the 
authority to legitimately assume office. For the losing 
candidate it assures chat the decision can be accepted as 
the will of the voters. 

Our recommendations are aimed at several timeframes and audiences. Some require 
immediate action, and others can be considered later. We propose some for the federal 
government and some for the states. But we have offered all the recommendations based 
on our views as to how they can best help our counoy — not our political parries. Together, 
these reforms shcnild catalyze a shift in the way chat clcaions are administered. We hope 
they will not only restore American confidence in our elections, but also strengthen the 
respect ftom those in the worid who look ro our democracy as a model. 



Ehiitding Confidence in U.S. Oections 


186 




187 


2. Voter Registration and Identification 

EfFeaive voter rcgstration and wter identification are bedrocks of a modern eleaion 
system. By assuring unifermi^ to both voto’ i^jstrarion voter identification, and by 
having states play an active role in re^sarii^ as many qualified citizens as possible, access 
to elections and ballot inte^hy will both be enhanced. These steps could help bring to an 
end the sterile debate betvreen Democrats and Republicans on access versus integrity. 

The most common probkras on Ebaion Day con«ra voter registration (see TjJjle 1 on 
page 17). Voter registration Ksis ofen are riddled vdth inaixuracies because Americans are 
highly mobile, and local authoritia, vrfio have maintained most lists, are poorly positioned 
to add and delere names of voters who move within or between states. To comprehend the 
magnitude of this challenge, amsider the fi>llowtng. During the last decade, on average, 
about 41.5 million Americans moved each year. Of those, about 3 1 .2 m illion moved within 
the same state, and 8.9 million mowd to a different state or abroad. Young Americans (aged 
20 to 29), representing I4 percent of the U.S. popularion, moved to a different state at 
almost three times the rate of the rest of the population.^ The process of registering voters 
should be made easier, and renewal due to a change of address should be made still easier. 


In response to the challenge of building and maintaining better registration lists, HAVA 
requires states ro esrabli^ statewide, computer-based re^srratton lists that are interactive 
within each state by January 1, 2006. HAVA ^so requires provisional ballots for eligible 
votere who seek to vote within their jurisdiction but who are denied a ballot because their 
name is not found on the voter roll or because they ate 
otherwise challenged by an election official as being 
ineligible to vote. 

Although few states have completed their new statewide 
voter database.s, the limitations of the existing efforts arc 
already clear. Several states have left the primary 
re,sponslbility for voter lists in the hands of counties and 
municipalities. There is little if any effort to assure quality 
in statewide voter databases. The U.S. Election Assistance 
Commission (EAC) has not assessed the quality of 
statewide voict databases and is unlikely to do so in the 
future. Moreover, It has provided only vague guidance to 
states on how to otganize their voter registration lists — 
on even the m£«t basic question as to whethw states or 
counties should be in chaige. 

In addition to statewide registration systems and 
provisiond ballots, HAVA requires that states insist on voter identification only when a 
penon has roistered by mail for the first time in a federal election. This provision, like the 
others, was implemented very differently across the country, with some areas not even 
applying the minimum requirement. Since HAVA, an increa,sing number of states have 
insisted on stringent, thou^ very different, ID requirements for all voters. This, in turn, 
has caused concern that aich requirements could erea a new barrier to voting for people 
who do not have the requisite idendfication card. Georgia, for example, introduced a new 
law in July 2005 that requires all voters to show a government-issued photo ID at the polls. 



Building Confidence in U.S. Elections 


188 


Although there are 1 59 countie, only 56 locations in Ae entire state issue such IDs, and 
citizens must either pay a fee for die ID or declare iiKligencs. 

While states will retain prindpal responsibility for the condua of elections, greater 
uniformity in procedures for voter re^strauon and identificatton is essential to guarantee the 
free exercise of the vote by all U.S. dtizens. The EAC shtmld fedlitate greater uniformity in 
voter re^stration and identification protxduies aid should be empowered to do so by 
granting and withholding federal funds to the staos. If Congress docs not appropriate the 
funds, then we recommend that it amend the law m requite unifbnnity of standards. 


2.1 UNIFORMITY WITHIN STATES - TOP-DOWN 
REGISTRATION SYSTEMS 



A complete, accurate, and current wter roll is essential to ensure that every eli^ble cirizen 
who wants to vote can do so, that individuals are ineligible cannot vote, and that 
citizens cannot vote more than once in the same efecdon. A voter registration list must 
contain all eligible voters (including new tegisrrants) and must contain correct information 
concerning the voters identity and residerKie. 

Incomplete or inaccurate registration lists lie at the root of most problems encountered in 
U.S. elections. When a TOter list orniw the names of citirens who believe they propert}' 
registered or contains incortea or out-ofidatc information on 
registered voters, eligible dtizens often arc denied the right to vote, 
Im-alid voter files, which contain inelt^le, duplicate, fictional, or 
deceased voters, are an invitation u> fiaud. 

One reason for flawed lists is decenrrJized management. Local 
authorities often fail to delete the names of voters who move from 
one jurisdiaion to another, and thus the lists arc often inflated. For 
this reason, the Carter-Ford National Commi.ssion on Federal 
Election Reform recommwidcd the creation of statewide voter 
registration systems, and this recommendation was codified into 
law in HAVA. 

HAVA requires each state to create a “single, uniform, official, 
centralized, interactive computerized statewide voter 
registration list defined, maintained, and administered at the 
state level.” But states have not carried out this requirement in 
a consistent manner. Some are creating a “top-down” voter 
registration system, in which local election authorities supply information to a unified 
database maintained by the sate. Others rely on a "bottom-up” system, whereby 


counties and municipalities retain their own registration lists and submit information 
CO a state compilation of local databases at r^ular intervals. Top-down databases 
typically deliver information in real time — counties can see changes from ocher 
localities as these changes arc made to the voter list. Bottom-up systems may continue 


Report of the Commission on Federal Election Reftvm 


189 






the problems that gave rise to flawed registration lets — Le., counties retain control of 
the lists. Counties might not delete the names of voters who move or might not add 
the names of voters who register at motor whicle bureaus or other state agencies under 
the National Voter Registration Act (NVRA or 



“Motor Voter"). Thus, the statewide lists might 
be different from the controlling c<Hinty lists. 

Having two inconsistent voter lists is like a 
person with two watches who never knows what 
time it is. It is essential to have a single, accurate, 
current voter list. 

As of June 2005, 38 srates were est^lishing top- 
down voter registration systems. TTtc remaining 
states were either (a) building botKan-up sysreras; 
or (b) creating systems with borfi K^>-dovm and 
bottom-up elements. Three states had not finalixed 
plans.’’ The EAC, in its interprwation of the HAVA 
requirement on statewide voter databases, 
expressed a preference for top-down .sj^tems for 
voter registration but did not insist on it and did 
not rule out bottom-up sy-stems. 

In the judgment of our Commission, boctom-up sy sms are nor capable of providing a 
compictc, accurate, current, and valid voter rc^tration list. They are ineffective in 
removing duplicare r^isttauons of individuals who move from one county to another and 
in coordinating with databases of other sute t^encies. Even in the best of circumstances, 
with excellent cooperation and interaction between states and counties — jm unlikely 
scenario with the bottom-up system — there will be a time lag in updating voter files in a 
bottoni-up system. This time lag could be particularly harmfid in the period approaching 
the deadline for voters to ouster. 


Recommendation on Uniformity Within States 

2.1.1 The Commission recommends that states be required to establish unified, top-down voter 
registration systems, whereby the state election office has clear authority to register 
voters and maintain the registration list. Counties and municipalities should assist the 
state with voter registration, rather than have the sUte assist the localities. Moreover, 
Congress should appropriate funds for disbursement by the U.S. Election Assistance 
Commission (EAC) to states to complete top-down voter registration systems. 



Building Confidence in U.S. Sections 


i 



190 


2.2 INTEROPERABILITY AMONG STATES 

Interoperable state voter daoba^ are needel to Militate updates in the registration of 
voters who move to another state and to eliminate duplicate registrations, which are a 
source of potential fraud. Approximately 9 million people move to another state or abroad 
each year, or about one ut ei^t Americans between eadi presidential elcaion. Such 
interoperability is possible because state voter dat^>ases that arc centralized can be made to 
communicate with each other. 

The limited information available on duplicate registrations indicates that a substantial 
number of Americans are registered to vote in two different states. According to news 
reports, Florida has more than 140,000 voob who apparently are registered in four other 
states (in Gcoi^ia, Ohio, New Yrwk, and hforth Carolina).* This includes almost 46,000 
voters from New York Ci^ alone wdio are r^)stered to vote in Florida as well. Voting 
records of the 2000 elections appear to indicate that more than 2,000 people voted in two 
states. Duplicate registrations are also seen elscwdiere. As many as 60,000 voters arc 
reportedly registered in both North Carolina and South Carolina.’ 

Current procedures for updating the reg^tration of voters who move to another state are 
weak or nonexistent. 'OWicn people register vote, they arc usually asked to provide their 
prior address, so that the jurisdiction where they lived can be notified to delete their names 
from the voter list. Such notification, howevet, often docs not occur. When a voter moves 
from Virginia to Illinois, for example, a (bur-step process is required to update voter 
registration: (1) election authorities in Illinois must ask for prior suidress; (2) the voter must 
provide prior address; (3) Illinois election authorities must notify 
ihe ojrrca election authorities in Vitgjnia: and (4) Virginia election 
authorities must remove the voter from its list. Unle-w all four steps 
are taken, this voter will remain on the voter list in Virginia, in fact, 
states often fail to share data or notify each ofoer of voters who 
move. As a result, a substantial number of Americans arc registered 
to vote in more than one state. 

Duplicate registrations have accumulated over the years not just 
because there are no systems to remove them other than the one 
described above, but also because people who own homes in two 
sutes can register to vote in both places. In fea, when 1 .700 voters 
who were registered in both New York and Florida requested 
absentee ballots to be mailed to their home in the ocher state, no 
one ever bothered to investigate.'® 

Interoperability among sure voter darabases is needed to identify and remove duplicate 
registrations of citizens who are roistered to vote in mote than one sure. To make the state 
voter databases interoperable, the Commission recommends the introduction of a uniform 
template, shared voter data, and a system to transfer voter data across states." 

The template will define a common set of voter data chat all sKues will collect in their voter 
databases and will share with each other. TTiis set of data will consist of each persons foil 1^1 
name, date and place of birth, signature captured as a digital image, and Social Security 
number. The signature ts needed to confirm the idenory of voters who voce by mail. 



the Cwnmisswfi on Federal Election Reform 


191 


Under HAVA, voter databases need a “unique identifier,” which is a number used to 
distinguish each individual particulariy thcKC with Ae same or similar names. Some states 
use the drivers license number as Ae unique identifier for voter registration, in other states, 
the unique identifier is Ae Social S«airity number. Hforts to match voter registrations in 
states that use different idenrifiere are complicated and may fail. Take, for example, the 
problem of figuring out vAeAer fhu! Smith in Michigan is the same person as Paul Smith 
in Kentucky. Sin« the unique klentifier for voter registration is the Aiver’s license number 
in MiAigan but the Social Security number in Ffentucl^', an accurate match of the two 
registered Paul Smiths is not liWy. Any matA will need to rely on Paul Smith’s date of birth 
to estimate, based on some level of prcAability, wheAer the Paul Smith in each state is the 
same person or not. 

To make different state voter datab^es inieropienAle, therefore, Ac>' must use the same 
unique identifier, and this identifier must disrin^ish each American from every other voter 
in Ac country. The state voter databases will need to ase a nationwide identifier. Since Ae 
same driver’s license number might be used m different states, the Social Security number 
provides Ac most feasible option for a federal unique identifier. 

While the use of Social .Security numbers for voter registration raises concerns about 
privacy, these concerns can be adequately addressed 1:^ the 
measures the Commission recommends to ensure Ac 
security of voter databases. The Commission stresses the 
importance for states to allow only authorized election 
officials to use the Social Security numbers. States should 
not provide Social Security numbers in the voter lists Aey 
release to candidates, poUtkal panics, or anyone else. This 
should not be hard to do. Forty-nine sutes collect Social 
Security numbers for drivers licenses,'- and they have 
protected the privacy of the -Social Security numbers. 

Congress should direa Aat all states use the same unique 
identifier — i.e., the voter’s Social Security number — 
and template, but a new system will also be needed to 
share data on voters among states. Such a system should 
maintain a uniform stare voter list while allowing 
.systematic updating of lists to take into account moves between states. The Commission 
proposes using a model similar to Ae one supervised by Ae U.S. Department of 
Transp>Ofcacion (DOT) to make .sure Aat commercial drivers have only one licen.se. The 
Commercial Driver’s License Information System (CDUS) share.'; data among states on 
commercial driver’s licenses, using a “distributed database” — a collection of 51 daabases 
(the 50 states and Washington, D.C.) Aat arc linked to each other. When state officials 
want to check a particular driver’s record, they go to Ae central site, which then connects 
them to Ae database of Ac state Aat issued a commercial license to that particular driver. 
Since all of Ae state dacAascs arc inter-connected, an update in one state database is 
immediately availAle to A oAer states. CDLIS is operated by the American Association 
of Motor Vchidc Administrators under Ae supervision of the U.S. Depanment of 
Transportation. 



Bu/Wing Confidence in U.S. elections 


192 


Similariy, our Commission re<X(inmends a “distrilHital dasibase” diat will connect all states’ 
registration lists. The creation of a computerized to transier voter data between states 

is entirely feasible. This syston could be manned either by die EAC or by an interstate 
compact or association of state officials under EAC supervision. 

Implementation of the Commissions recxrmmentUdon on cross-state interoperability of 
voter databases will require state election audiorides to collect Soda! Seciirity numbers and 
digital images of si^iatures for all registered voters. While many 
states use the drivers licmse number as their unique identifier, they 
can collea Sodal Saairiqr numbers from thdr state's department of 
motor whides (a Social Security number is required by 49 states to 
issue a driver’s license).” 

We recommend diat tire EAC oversa the adoption of the template 
for voter data and for asristtng states in the creation of a new system 
to share voter data among states, including for setting up a 
distributed dactbase. 

Confess should af^ropriace frderal frmds to complete top-down 
state voter databases, cover the costs of adding Social Security 
numbers and digital images of signatures to the databases, and 
create and maintain the federal distributed database system for sharing voter data among 
states. Congress should provide these ftinds to the EAC for distribution to states that adopt 
the uniform template for ««er data and join the for data sharing. Federal frmds 

would be withheld from slates that do not make their voter files interoperable with the 
voter databases of other states. 

As states make their voter databases interoperable, they will retain full control over their 
registration lists. They will only need to add to their current databases the voter data 
requited to complete the uniform template. 

Two additional innovations might help to eliminate r^istracion problems that voters have 
encountered. First, voters should have an opportunity during the registration process and 
before Election Day to review the registration online list to see whether their name is 
correctly inscribed and to check their proper precinct for voting.” Whenever an error is 
discovereti, voters should notify the statewide registration office to correct it, and every 
statewide registration office should have procedures in place to correct such an error in a 
timely manner. Second, precincts should have an “electronic poll-book” that conneas them 
to the statewide registration list and allows them to locate the correct polling site for each 
voter. For those precincts that are small, lack the resources for such an instrument, or do 
not have online access, precina officials should telephone to a neighboring jurisdiction to 
obtain the correa information. Poll workers should also have a dedicated phone number 
to contact local eicaion officials in case assisunce is needed. This phone number should be 
different from the number provided to the public. Too often, poll workers cannot connect 
with election officials when assistance is needed because ptfolic phone lines arc 
overwhelmed. 

The entire system should permit state-of-the-art. computer-based registration lists that will 
be accurate and up-to-date for the «itire n^uion. 


Report of the Commisaioii on FeOeraf Election Reform 



L93 



Building Confidence in Li.S. Elections 


Recommendations on Interoperability Among States 

2^.1 In order to assure tJiat lists take account of citizens moving from one state to 

another, voter databases ^uld be made interoperable between states. This would 
serve to eliminate duplicate registrations, which are a source of potential fraud. 

222 In order to assist the states in creating voter databases that are interoperable across 
states, the EAC should introduce a template for shared data and a format for cross- 
state data transfers-TTiis template ^ould include a person's full legal name, date and 
place of birth, signature (captured ss a digital image), and Social Security number. 

2.23 With assistance and supervision by the EAC, a distributed database system should be ; 
established to make sure that the state lists remain current and accurate to take into j 
account citizens moving between states. Congress should also pass a law mandating 
that states cooperate with tfiis system to ensure that citrons do not vote in two states. 

2.2.4 Congress should amend HAVA to mandate the interoperability of statewide 

registration lists. Federal funds should be appropriated for distribution by the I 

EAC to states that make Hwir voter databases interoperable, and the EAC should 
withhold federal funds from states that fail to do so.TTie law should also provide 

for enforcement of this requirement. 

2.2.5 With proper safeguards for personal security, states should allow citizens to verify 
and correct the registration lists' information on themselves up to 30 days before the 
election. States should also provide “electronic poll-books" to allow precinct officials 
to identify the correct polling site for voters. 

2.2.6 With interoiKrability, citizens should need to register only once in their lifetime and 
updating their registration will be facilitated when they move. 


2.3 PROVISIONAL BALLOTS 

Because of flaws in registration lists and other election administration procedures, HAVA 
mandated that any eligible voter who appears at the polls must be given a provisional ballot 
if his or her name does not appear on the voter r^istration list or an election offlclal asserts 
that the individual is not eligible to vote. November 2. 2004, marked the first time that all 
states were suppo.sed to offer provisional ballots in a 
general election. Out of 1.6 million provisional bailors 
cast, more than one million were counted.’’ The 1.6 
million provisional b^lots do not include an unknown 
number of voters who were encours^d by poll workers to 
go to other polling sites where they might be registered. 

Practices for offering and counting prosnsional bdbts in 
the 2004 pre^emial dcction varied widely by state and 
by count)’. Around the country, the percentage of 
provisional ballots counted ranged frcKn a nationat high in 
Alaska of 97 petc«Jt to a lew of 6 pCTc«« in Delaware.'* 




194 


This was due in part to wh«her a state accqjted a provisionaJ baUot cast outside of a voters 
home precinct. In other situations, provisional bailees wre counted without first having 
been verified as eligible ballots. 

If the recommendations for strengthening Ae r^aration lists are approved, the need for 
provisional ballots will be reduced. In 2004, provisional ballots were needed half as often 
in states with unified databases as in states without.’’ Nonetheless, in the absence of the 
reforms recommended by this Commission, or in the period before they come ftiily into 
effect, provisional balloting will continue to be a crucial safety net. During the interim, 
in order to reduce the chances that dections are liti^ted, we need consistent procedures 
for handling provisional ballots and full trdoing for poll workers who carry out these 
procedures. 


Recommendations on Provisional Ballots 

23.1 Voters should be informed of their right to cast a provisional ballot if their name does 
not appear on the voter roll, or if an election official asserts that the individual is not 
eligible to vote, but States should take additionai and effective steps to inform voters 
as to the location of their precinct. 

2.3.2 States, not counties or municipalities, should establish uniform procedures for the 
verification and counting of provisional ballots, and that procedure should be applied 
uniformly throughout the State. Many members of the Commission recommend that a 
provisional ballot cast in the incorrect precinct but in the correct jurisdiction should be 
counted. 

2.33 Poll workers should be fully trained on the use of provisional ballots, and provisional 
ballots should be distinctly marked and segregated so they arc not counted until the 
eligibility of the voter is determined. 


2.4 COMMUNICATING REGISTRATION INFORMATION 

The hotlines .set up by nonprofit organizations to assist voters on Election Day received 
hundreds of thousands of calls (see Table 1 on page 17). Most of the callers had two 
simple questions; Am I registered to vote? And where do I go to vote? Answers to these 
questions, however, too often were difficult to obtain. Only nine state election Web sites 
were able to provide voters with their registration information or with the address of their 
polling site. Information was equally difficult to obtain from election offices by 
telephone. One Eienion Day hotline transferred callers to their county board of 
elections, but barely half of these calls were answered, and of the other half, few provided 
the information chat was requested.'* 


Report of the Cemmission on Federal Election Reform 




195 






Failure to provide TOters with sudi basic mfonuarion as their registration status and their 
polling site location raises a barrier tt> vtring as significant as inconsistent procedures on 
provisional ballots or voter ID rH^uirements. As states gain responsibility for voter 
registration, they will be well poritioned to inform voters if they are listed in the voter files. 

The Web sites of local Jurisdictions should albw voters to check whether they are registered 
and the location of their precinct. Tliis precinct-locatof feature should be added to state 
elections Web sites. In addiriem, infoimation on how to register and where to vote should 
be disseminated in local m^ia, on posted lias, and tn othCT government offices, including 
welfare and social services a^ncies. 



Since election officials may have difficulty responding to telephone calls on Election Day 
as djey are conducting the decrion, states and local jurbdicrions should encourage voters to 
inquire about their r^istration status and the location of their polling place considerably 
before Election Day. 


TABLE 1 1 Voter Calls to the MYVOTEl Hotline on Election Day 2004 | 

H Topic of Question or Cnnplainl 

11 on Election Day 2004 

Percent of Total I 

Regislration Issues/Pt^i Access 

43.4% 

Absentee Voting 

24.2% 

Coercion/Intimidation 

4.9% 

Mechanical 

4,5% 

Identification 

2-5% 

Provisional Battels 

1,9% 

Baliot/Screen 

1.3% 

Other 

16.8% 

TOTAL 

100-0% 

•i«Ti»! TomU Ml! hW »p.Mi M jn.li.ij of $s 1)1*0 phuftir -JU «. the MYV'OTEI hoilint on 

November 2. 2004. Two mejor. nonpeniun hoilincj and ihc U.S, Elrction AMicnnec Cnmmisjkin 
receiveil a ioi4 ot appioeimaiclv 2S5.0I)0 voier calb im Ekuioo !>«> 201)4. 

JOURCCIr ‘Icnimony before (he Commirsio 
Info Vnrt Teehnniogiec. on June 30. 2005; ' 
Admlnistniiot* Cnmmiiiee bv ihe U.S. fJee 

on Federal Eleciion Reform bf Ken Smulder. President of 
estimonv before ihc Uji, Hoote of RiTitesenatives 
on Ajsbtanee Commirsion, on February 9. 2005. 


Recommendation on Communicating Registration Information 

2.4.1 States and local jurisdictions should use Web sites, toll-free numbers, and other means 
to answer questions from citizens as to whether they are registered and, if so, what is 
the location of their precinct, and if they are not registered, how they can do so before 
the deadiirte. 


BuiWing Confidence in U.S. Elections 





196 


2.5 VOTER IDENTIFICATION 

A good registration list will ensure that dcixens are only re^srcred in one place, but election 
officials still need to make sure that the person arriving at a polling sice is the same one that 
is named on the registration list. In the days and in small towns where everyone knows 
each other, voters did not need to idenrify themselves. But in the United States, where 40 
million people move each year, and in urban areas wh«e some people do not even know 
the people living in their own apartment building let abne their precinct, some form of 
identification is needed. 

There is jio evidence of exrensiw fraud in U.S. elections or of multiple voting, but both 
occur, and it could affect ibc outcome of a dose eleaion.” The electoral system cannot 
' ' fidence if no sifeg^aids ada to deter or detea fraud or to confirm the 

identity of voters. Photo IDs currently are needed to board a plane, 
enter federal building, and cash a check. Voting is equally 
important. 

The TOtcr identification requirements introduced by HAVA are 
modest. HAVA requires only' first-time voters who register by mail 
to show an ID, and they can choose from a number of different 
types of identification. Sates are encour^ed to allow an expansive 
list of acceptable IDs, including those without a photograph, such 
as utility bilk or government checks. These requirements were not 
implemented in a uniform manner and, in some cases, not at ail. 
Aifer HAVA was enacted, efforts grew in the sates to strengthen 
voter identification requirements. While 1 1 sates required voter 
ID in 2001, 24 sates now require vorers to present an ID at the 
polk.^ In addition, bills to introduce or strengthen voter ID 
requirements are under consideration in 12 other states.’* 

Our Commission is concerned that the different approaches to 
identification cards might prove to be a serious impediment to 
voting. There are two broad alternatives k» this decentralized and 
unequal approach to identification cards. First, we could recommend eliminating any 
requirements for an ID because the evidence of multiple voting is thin, and ID 
requirements, as some have argued, are "a solution in search of a problem.'’ Alternatively, 
we could recommend a single national voting identification card. We considered but 
rejected both altcmativts. 

We rejected the first option — eliminating any requirements — because we believe that 
citizens should identify themselves as the correct person on the registration list when they 
vote. While the Commission is divided on the magnitude of voter fraud — with some 
believing the problem is widespread and others believing that it is minor — there is no 
doubt that it occurs. The problem, however, is not the magnitude of the fraud. In dose or 
disputed elections, and there are many, a small amount of fraud could make the ma^n of 
difference. And second, the paception of possible fraud contributes to low confidence in 
the system. A good ID system could deter, detea, or eliminate several potential avenues of 
fraud— such as multiple voting or voting by mdividuak using the identities of others or 



Report of the Commisswn on F«jwal Election Refomt 


197 


those who are deceased — and thus it can enhance omfidcnce. We view the other concerns 
about IDs — that th^ ondd disenhanchi^ eligible voters, have an adverse effect on 
minorities, or be used to monitor bdiavior — as airious and legitimate, and our proposal 
below aims to address each ajncem. 

We rejected the second option of a national voting 
identification card becau% of the expense and our 
judgment that if these cards \rere only used for each 
election, voteR would fo^et or lose them. 

We therefore propose an alternative path. Instead of 
creating a new card, the Commission recommends that 
states use “REAL ID” cards for vodr^ purposes. The 
REjAI, id Act, sigjicd Into law in May 2005, requires 
states to verily each individuals fiili legal name, date of 
birth, address. Social Security number, and U.S. 
citizenship before the individual is issued a drivers liccase 
or personal ID card. TTie REAL ID is a lexical vehicle 
because the Narional Voter Registration Act established a 
conneaion between obtaining a driver's li<»nse and 
registering to vote. The REAL ID card adds two critical 
elements for voting — proof of citizenship and 
verification by using the foil Social Securit)’ number. 

The REAL ID Act does not require that the card indicates citizenship, but that would need 
to be done if the card is to be used for voting purposes. In addition, state bureaus of motor 
vehicles should automatically send the infomtation k> the state’s bureau of clcaions. {With 
the National VotCT Registration Act, state bureaus of motor vehicles ask drivers if they wane 
to register to vote and send the information only if the answer is affirmative.) 

Reliance on REAL ID. however, is not enough. Voters who do not drive,” including older 
citizens, should have the opportunity to register to vote and receive a voter ID. Where they 
will need identification for voting, IDs should be easily available and issued free of charge. 
States would make their own decision whether to use REAL ID for voting purposes or 
instead to rely on a template form of voter ID. Each state would also decide whether to 
require voters to present an ID at the polls, bur our Gammission recommends that stares 
use the REAL ID and/or an EAC rempbre for voting, which would be a REAL ID card 
without reference to a driver’s license. 

For the next two federal elections, until January I, 2010, in states that require voters to 
present ID at the polls, voters who foil to do so should nonetheless be allowed to cast a 
provisional ballot, and their ballot would count if their s^nature is verified. After the REAL 
ID is pha.scd in, ».e., after January 1, 2010, voters without a valid photo ID, meaning a 
REAL ID or an EAC-temf^atc ID, could cast a provisional ballot, but they would have to 
return personally to the appropriate election office within 48 hours with a valid photo ID 
for their vote to be counted. 



Building Confidence in U.S. Elections 


198 


To verify the identity of voters who cast abs«itee t»lloG;, the wter's signature on the 
absentee ballot can be matched with a (%iazed version Ae signature that the election 
administrator maintains. While sudi signanue matchs ate usually done, they should be 
done consistently in all cases, so that elecdon t^cials can verify the identity of every new 
registrant who casts an absentee ballot. 

The introduction of voter ID requirements has raised concerns that they tnay present a 
barrier to voting, particularly by traditionalfy majpnaiizcd groups, such as the poor and 
minorities, some of whom lack a govertunent-isaied photo ID. They may also create 
obstacles for highly mobile groups of ddzens. Part of Aese concerns are addres.sed by 
assuring that government-issued photo kfontiheation is available without expense to any 
citizen and, second, by government efibrts to ensure that all voters are provided convenient 
opportunities to obtain a REAL ID or EAC-template ID card. As explained in Seaion 4. 1 , 
the Commiaion recommenA that states play an affirmative role in reaching out with 
mobile offices to individuals who do not have a drivers license or other government-issued 
photo ID to help them register to vote and obtain an ID card. 

There are also longstanding concerns voiced by 
some Americans that ruiiona! identification cards 
might be a step coward a police state. On that note, 
it is worth recalling that most advanced democracies 
have fraud-proof voting or national ID cards, and 
their democracies remain strong. Still, these 
concerns about the privacy and .security of the card 
require additional steps to protect against potential 
abuse. We propose two approaAes. First, new 
institutional and procedural safeguards should be 
established to assure people that their privacy, 
security, and identity will not be contpromised by 
ID carA. The cards should not become instruments 
for monitoring behavior. Second, certain group.s 
may see the ID cards as an obstacle to voting, so the 
government necA to take additional measures to 
roister voters and provide ID cards. 

I'he needed measures would consist of legal protections, stria procedures for managing 
voter Au, and creation of ombudsman institutions. The legal proteaions would prohibit 
any commercial use of voter data and impose penalties for abuse. The daca-management 
procedures would include badeground cheeb on all officials with a cce ss to voter data and 
requirements to notify individiials who are removed from Ac vorer r^isrracion list. The 
establishment of ombudsman institutions at the sute level would assist individuals to 
redress any cases of abuse. Tlw ombuAman would be charged wiA assisting voters to 
overcome bureaucratic mistakes and hurdles and respond to citizen complaints about the 
misuse of Ata. 



Report of the Commission on Federal Election Refomi 



199 


The Commissions recommmded appto^ » wter ID may need to adapt to changes in 
national policy in the future. Since die atacks September 11, 2001, concerns about 
homeland security have led to new policies on pCTwnal identification. Under a presidential 
directive, about 40 million Americans who worit for or contract with the federal 
government are being issued ID cards with bicwnetrics, and the REAL ID card may very 
welt become the principal identificacion card in the country. Driven by security concerns, 
our country may already be headed toward a nuional identity card. In the event diat a 
national identity card is introduced, mir Commission recommends that it be used for 
voting purposes as well 


Recommendations on Voter Identification 

2.5.1 To ensure that persons presenting themselves at the polling place are the ones on the 
registration list, the Commission recommends that states require voters to use the 
REAL ID card, which was mandated in a law signed by the President in May 2005. 
The card includes a person's full legal name, date of birth, a signature (captured as a 
digital image), a photograph, and the person's Social Security number. This card should 
be modestly adapted for voting purposes to indicate on the front or back whether the 
individual is a U.S. citizen. States should provide an EAC-tempiate ID with a photo to 
non-drivers free of charge. 

2.5.2 The right to vote is a vital component of U.S. citizenship, and all states should use 
their best efforts to obtain proof of citizenship before registering voters. 

2.5.3 We recommend that until January 1, 2010, states allow voters without a valid photo 
10 card (Real or EAC-template ID) to vote, using a provisional ballot by signing an 
affidavit under penalty of perjury. The signature would then be matched with the digital 
image of the voter's signature on file in the voter registration database, and if the 
match is positive, the provisional ballot should be counted. Such a signature match 
would in effect be the same procedure used to verify the identity of voters who cast 
absentee ballots. After January l, 2010, voters who do not have their valid photo ID 
could vote, but their ballot would only count if they returned to the appropriate 
election office within 48 hours with a valid photo ID. 

2.5.4 To address concerns about the abuse of ID cards, or the fear that it could be an 
obstacle to voting, states should esublish legal protections to prohibit any commercial 
use of voter data and ombudsman institutions to respond expeditiously to any citizen 
complaints about the misuse of data or about mistaken purges of registration lists 
based on interstate matching or statewide updating. 

2,55 In the event that Congress mandates a national identification card, it should include 
information related to voting and be connected to voter registration. 


Sutlding Confidence in U.S. Bections 




200 



2.6 aUALITY IN VOTER REGISTRATION LISTS 

Voter regi.stration lists provide the basis for detomining who is qualified to vote. Yet only 
a few states, notably Oregon and North Carolina, have assessed the quality of their lists, or 
have developed plans to do so. TTiis is al«) true as stares rush to complete statewide voter 
databases before the January 1, 2006, deadline. Moreover, the EAC does not a.ssess the 
qualify of voter files. 


The little information available on die quality of voter files is not reassuring. The creation 
of statewide voter database allows for die dimination of duplicate registrations within 
states, but attempts to match voter files with records of other state agencies arc often 
ineffective. Death records, for example, sometimes are not provided to election officials for 
three or four months, and information on felons is usually inoimpleic.-’’ Comparison with 
U.S. Census Bureau statistics also points to enensive “deadwood” on the voter registration 
lists. Some states have a largp portion tffinacdve voters on their voter registration lists. One 
in four registered voters in Oregpn is inactive, as is one in every diree registered voters in 
California.” There also are numerous jurisdictions, such as Alaska, where the number of 
registered voters is greater than the number of voting-^ed citizens." These iiiri.sdictions 



clearly have not updated their vorer registration lists by 
removing the names of voters who have died or have moved 
away. 


Y - Vorer registration lists arc often inflated by the inclusion of 

dtizens who have moved out of state but remain on the lists. 
^ Moreover, under the National Voter Registration Act, names 

are often added to the list, but counties and municipalities 
.-V ■ often do not delete the names of those who moved. Inflated 

voter lists are also caused by phony registrations and efforts to 
"** register individuals who are ineligible. Registration forms in 

names of comic figures, for example, were submitted in 
‘,>i: Ohio in 2004. At the same time, inaccurate purges of voter lists 

“ ' j removed citizens who arc eligible and are properly 

5 * registered. 

From what little is known, the quality of voter registration lists 
'ti probably varies widely by stare. Without quality assurance, 
however, cross-state transfers of voter data may suffer from the 
problem of “gafoage in, garbs^ out.” They may pass on inaccurate data from certain states 
to the rest of the country. The overall quality of a system to share voter data among states 
will only be a strong as the quality of the worst state voter database. 


Each state needs to audit its voter rc^oation files to detCTmine the extent to which th^ 
are accurate (with correct and current information on individuals), complete (including all 
eligible voters), valid (excluding ineligible TOtets). and secure (with protections against 
unauthorized use). This can be done by matching vocct files with records in other state 
agency databases in a regular and timely manner, contacting individuals s'dien the matches 
are inconclusive, and conducting sutvey research to estimate the number of voters who 
believe they are registered but who are not in feet listed in the voter files. Other countries 
regularly conduct such audits.** 


Report of the Canmission on Federal Election Reform 



201 


Effective audits assess not only the quality of votCT files but also the procedures used to 
update, maintain, and v^Jy data and to ensure security of voter databases. To assure 
continual qualityofvoterdatabascs,efiective procedures are needed to maintain up-to-date 
lists of eligible voters, wrify the accuracy rff those lists, and remove voters who have become 
ineligible. These should indude pronduies to delete those who have moved out of state 
and to effectively match voter files wth records of drivers licxn^s, deaths, and felons. Given 
the controvereial "pui^” that have occurred, speda! care must be taken to update the lists 
in a Fair and tran^xirent manner. States should adopt uniform procedures and strong 
safeguards against incorreer rnnoval of digible voters. Every removal should be double- 
checked before it is executed, and a record should be kept of every action. The process of 
updating the lists should be continuous, and before each statewide election the voter rolls 
should be audited for accuracy. 

In addition, sta^ need to assure tltt privacy and security of voter files. There is no 
justification for states to release voter files for commercial purposes. However, components 
of voter files should remain puli^c doaimencs subject to public scrutiny. States must 
carefully balance the right to privacy of registered citizens with the need for transparency in 
elections when they dcddc what information on vorer registration to make available to the 
public. Procedures we also needed ro protect voter files against tampering or abuse. This 
might be done by setting up the voter datjhase to make an automatic record of ail changes 
to the voter files, including a record of who made the changes and when. 


Recommendations on Quality in Voter Registration Lists 

2.6.1 Slates need to effectively maintain and update their voter registration lists. The 
EAC should provide voluntary guidelines to the states for quality audits to test 
voter registration databases for accuracy (correct and up-to-date information on 
individuals), completeness (inclusion of all eligible voters), and security (protection 
against unauthorized access). When an eligible voter moves from one state to another, 
the state to which the voter is moving should be required to notify the state which the 
voter is leaving to eliminate that voter from its registration list 

2.6.2 Ail states should have procedures for maintaining accurate lists such as electronic 
matching of death records, drivers licenses, local tax rolls, and felon records. 

Federal and state courts should provide state election offices with the lists of 
Individuals who declare they are non-citizens when they are summoned for jury duty. 

2.6.4 In a manner that is consistent with the National Voter Registration Act, states should 
make their best efforts to remove inactive voters from ttie voter registration lists. Stales 
should follow uniform and strict procedures for removal of names from voter registration 
lists and should adopt strong safeguards against incorrect removal of eligible voters. All 
removals of names from voter registration lists should be double-checked. 

2.6.5 Local jurisdictions should track and document ail changes to their computer 
databases, including the names of those who make the changes. 


Builfling Confidence in U.S. Elections 



202 



KiiP! Cc.untv tlcicOots 

PRESIDENT/VICE PRESIDENT OF THE UNITED STATES 
(j^Vote for One 


George WastiingtonJ 
John Adams 

3ndep«odenl 


AJ wore/ 
Joe 

Democrat 


RepuWican 




203 


3 . Voting Technology 

The Help America Vote Act of 2002 authorized up to $650 million in federal funds to 
replace antiquated voting machines thtou^out die country. States are using these funds 
and their own mourccs to uf^rade voting technology, generally to replace punch card 
and lever voting machines with new optical scan and electronic voting systems. As a 
result, voting technology is imfHoving,^ but new concerns related to electronic voting 
systems have arisen. These concerns need to be addressed, because it is viral to the 
electoral process rhM citizens have confidence that voting technologies are r(^stering and 
tabulating votes accur«eiy. 

3.1 VOTING MACHINES 

The purpose of voting lechnolt^ is K> record and tally all votes accurately and to provide 
sufficient evidence to assure all parudpants — especially the losing candidates and their 
supporters — that the election result accurately reflects the will of the voters. 

Voting machines must be both accessible and transparent. As required by HAVA, the 
machines must be accessible to language minorities and diizcns with disabilities, including 
the blind and visually impaired citizens, in a manner that allows for privacy and 
independence. Voting machines must also be transparent. They must allow for recounts 
and for audits, and thereby ^ve voters confidence in the accuracy of the vote tallies. 

Two current technology systems are optical scan and direct recording electronic (DRE) 
systems. Optical scan systems rely on preprinted paper ballots that are marked by the voter, 
like the ovals students fill in widi a No. 2 pencil on a standardized exam, and then are run 
through an optical scan machine that determines and taUies the votes. Such systems provide 
transparency because the paper ballots can be recounted and audited by hand. Under 
HAVA, all aspects of the voting system, including the produedon of audit trail information, 
must be accessible to voters with disabilities. 

DRE machines present voters with their choices on a computer screen, and voters choose 
by touching the screen or turning a dial. The vote is then recorded electronically, usually 
without ballot paper. DREs make up a growing share of voting equipment. Nearly 30 
percent of voters live in jurisdiaions that use DREs. compared to 1 7 percent in the 2000 
election (sec Table 2 on page 27).“ DREs allow voters vwth disabilities to use audio prompts 
to cast ballots privately and independently, and they fecilitare voting non-English 
speakers by offering displays of the ballot in different languages. DREs also provide gearcr 
accuracy in recording votes, in pan by preventing over-votes, whereby people mistakenly 
vote for more than one candidate, and by discouraging accidental under-voces by 
reminding voters when they overlooked one or more races 

The accessibility and accuracy of DREs. however, are oftet by a lack of transparency, which 
has raised concerns about security and verifiability. In most of the DREs used in 2004, 
voters could not check that their ballot was rea>ided correaty. Some DREs had no capacity 
for an independent recount. And, of course, DREs are computers, and computers 
indfonccion. A malfunction DREs in Carteret County, North Carolina, in the 
November 2004 cleaions caused the loss trf more than 4.400 votes. There was no backup 
record of the votes that were cast. As a result, Carteret County had no choice but to renin 


Building Confidence in U.S. Elections 



204 


the election, after which it abandoned its DREs. Other jurisdictions have lost votes because 
election officials did not properly set up voting machines.” 

To provide backup rcairds of votes act on DREs, HAVA requires that all voting macliines 
produce a "permanent paper record with a manual audit capacity.” This requirement is 
generally interpreted to mean that each machine must record individual ballot images, so 
that they can beprinrcd out and examined in the event of a disputed result or of a recount. 
This will make DREs somewhat more transpaient. but it is still insidFicicnc to fully restore 
confidence. 

One way to instill greater confidence that DREs are properly recording votes is to require 
a paper record of the ballot that the voter can verify before the ballot is cast. Such a paper 
record, known as a TOter-wrifiablc paper audit nail (WPAT), allows the voter to check that 
his or her vote was recorded as it was int«ided. 

Because voter-verifiable paper audit uails can permit recounts, audits, and a backup in case 
of a malftinction, there is a growing demand for such paper traib. As of early August 2005, 
25 states required TOtcr-verifiable paper balloQ, and another 14 scares had proposed 
legislation with such a requirement.* 

Since very few of the DREs in use today are equipped to print voter-verifiable paper audit 
trails, certain bills before Congress would require cleaion authorities to “retrofit” DREs 
with such printers. In 2004, DREs with voter-verifiable paper audit trails were used only 
in Nevada. They appear to have worked wH.” When Nevadans went to the polls and 
made their selection, a paper record of their vote was printed behind a glass cover on a 
paper roll, like the roll of paper in a cash register. Voters were able to view the paper record 
and thereby check that their vote was recorded accurately before they ca-st their ballot. The 
paper record was saved in the machine and thus was available for later use in recounw or 
audits. After the 2004 elections, Nevada election officials conducted an internal audit, 
which confirmed the accuracy of the votes recorded by the DREs. While less than one in 
three Nevada voters reportedly looked at the paper record of their ballot, these voters had 
the opportunity to confirm their vote, and the paper allowed a chance to verify the 
computer tallies after the election. 

While HAVA already requires that all precincts be equipped with at least one piece of voting 
equipment chat is fully accessible to voters with disabilities for use in federal elections by 
January 1 , 2006, must be accessible to voters with disabilities, the Commission believes that 
transparency in voting machines should also be assured in time for die 2008 presidential 
election, With regard to cuirent tcchnoio^, sutes will need to use either DREs with a 
voter-verifiable paper audit trail and an audio prompt for blind vorers or optica! scan voting 
systems with at least one computer-assisted marking device for voters with disabilities to 
mark their ballot. To ensure implementation of this requirement, Congress will need to 
appropriate sufficient fonds to covet the costs of either retrofitting DREs with voter- 
verifiiffilc paper audit trails or purchasing a <»mpurer-assisted marking device for each 
fjolling place that uses optical scan voting systems. 

Concerns have been raised that the printers could malfunction just as computers do. Of 
course, the previous ballot papers will be available, and the operators will know when the 
printers fail. Still, prednets should have backup printers for that contingency. A second 
concern is that the length of the ballot in some areas — such as California, which ffequeiuly 


Reooft of the Cwnmisston on Federal Eiection Reform 



205 


has referenda — would require paper trails that would be several feet long. In the case of 
non-federal races, state law wrould dettrminc ^icther the non-federal portion of the ballot 
would similarly be lequired to provide a w)tCT-verified paper audit trail. That is not a perfect 
solution, but it is »ill better than havii^ no paper badcup at all. 

The standard.s for voting systems, set by the EAC, should assure both accessibility and 
transparency in all voting machines. Because these standards usually guide the decisions of 
voting machine manufecturen, the manu&cturera should be encouraged to build machines 
in the future that arc both acce^ible axid transparent and are fully capable of meeting the 
needs of Americans with disai^ities, of aUowing vocets to verify their ballots, and of 
providing for independent audits of ekedon relics. 


j TABIE2: Types of VMing Equqmient in Recent Presidentiaf Elections jj 

H Type of Voting 

Re^steted Vbtm in 2(X)0 

Registered Voters in 2004 f 

J Eejuipment 

(by percentage) 

(by percentage) I 

i Punch Card 

27 9% 

12 4% 

1 Lever 

17 0% 

14.0% 

' Paper Ballots 

13% 

0.7% 

Data Vote 

2.8% 

1.3% 

Optical Scan 

293% 

34.9% 

Electronic 

12.6% 

29.4% 

Mixed 

8.9% 

7 4% 

TOTAL 

lOO.Oti 

100.0% 

souxst Elrcfinn 

t r)a» Snviccs. EgnpmrM Sunourv bv Trp«. 2(M 

14. Ekccioo Dxcu Serna^r. 

Nw Stidr 

50 Million UxetsV/ai tise Eieoreoic Vbdog >2 

: .will PunUi Ofdj in 2004. 


Recommendations on Voting Machines 

3.1.1 Congress should pass a law requiring that all voting machines be equipped with a 
voter-verifiable paper audit trail and, consistent with HAVA, be fully accessible to 
voters with disabilities. This is especially important for direct recording electronic 
(DRE) machines for four reasons: (a) to increase citizens' confidence that their vote 
will be counted accurately, (b) to allow for a recount, (c) to provide a backup in cases 
of loss of votes due to computer malfunction, and (d) to test — through a random 
selection of machines — whether the paper result is the same as the electronic result. 
Federal funds should be appropriated to the EAC to transfer to the states to 
implement this law. While paper trails and ballots currently provide the only means to 
meet the Commission's recommended standards for transparency, new technologies 
may do so more effectively in the future. The Commission therefore urges research and 
development of new technologies to enhance transparency, security, and auditability of 
voting systems. 

3.1.2 States should adopt unambiguous procedures to reconcile any disparity between the 
electronic ballot tally and the paper ballot tally. The Commission strongly recommends 
that states determine well in advance of elections which will be the ballot of record. 


Building Confidence in U.S. Elections 


206 


3.2 AUDITS 

While voter-vesifiable paper ballots will cxmtribute to strengthening public confidence in 
DREs, regular audits of voting macWnes arc also needed to tkuble-check the accuracy of 
the machines’ vote tallies. Sudi audits woe required ly law in 10 states as of mid-August 
2005-'’ To carry our such audits, elecrion officials would randomly select a sample of voting 
machines and compare the vote total recotded by the machines with the vote total on the 
paper ballots. The audits would rest the teliabili^ of voting machines and identify 
problems, often before a close or dieted elecrion takes place. This, in turn, would 
encourage both suppliers and election officials to effectively maintain voting machines. 

Some concern has been expressed about the posabilky of manipulation of paper audit 
trails.’* If DREs can be manipulated to alter the vote tallies, the same can be done with 
paper audit trails. Such manipulation on be detected and deterred by regular audits of 
voting maclunes. Regular audits should be done of voting machines, including DREs 
and optical scan systems. 


Recommendation on Audits 

3.2.1 State and local election authorities should publicly test all types of voting machines 
before, during, and after Election Day and allow public observation of zero machine 
counts at the start of Election Day and the machine certification process. 


3.3 SECURITY TOR VOTING SYSTEMS 

DREs run on software that can be compromised. DRE software may get attacked or 
hacked by outsiders, perhaps through the Internet. As experience in computer security 
shows, it is often difficult to defend against such attacks. Hackers often are creative and 
determined, and voting sj^tems provide a tempting ta^et. However, while some DREs 
send their results to election headquarters over the Internet, they arc not connected to the 
Internet during voting. 

The greater threat to most ^sterns comes not from external hackers, but from insiders who 
have direct access to the machines. Software can be modified maliciously before being 
installed into individual voting machines. TTiere is no reason to trust insiders in the election 
industry any more than in other industries, such as gambling, where sophisticated insider 
fraud has occurred despite extraordinary measures to prevent it. Software can also be 
programmed incorrectly. This poses a likely threat when local programmers who lack the 
necessary skills nonetheless modify the ballot for local offices, and many might not have the 
sophistication required for the new machines. 

In addition to the output of DREs, which can be verified through a paper audit trail, the 
inside process of programming DREs should be open to scrutiny b>' candidates, their 
supporters, independent experts, and other interested cittrcns. so that problems can be 
detected, deterred, or coireacd, and so that the public will have confidence in the machines. 


Report of the Commission on Federal Election Reform 




207 


At the same time, manirfacturets of voting machines have legitimate reason to i«ep their 
voting machine software and its source code proprietary. The public interest in transparency 
and the proprietary interests of manufecturas can be 
reconciled by ptadng the soun^ code in escrow with the 
National Institute of Standards and Tcdinotc^ (NIST), 
and by making the source aide avail^e htr inspection on 
a restricted basis to qudified individuals. NI^ might 
make the source code available to lecx^izoi OMnputcr 
security experts at accredited univeBirics and to experts 
acting on behalf of candidates or political parties under a 
nondisclosure agreement, which would bar them from 
making information about the source cx>de public, though 
they could disclose security flaws or vtdno^ilities in the 
voting system software. 

Doubt has been raised that some m^u&cturers of voring 
machines provide enough security in their systems to 
reduce the risk of being hacked. Suc^ concerns were 
highlighted after a group of computer security experts 
examined a voting system source code that was 
accidentally left on the Iniemei,’* Independent inspection 
of source codes would strenphen the security of voting systems software by encouraging 
manufteturers to improve voting system security. Eiqiert reviews may also detect software 
design flaws or vulnerabilities. This, in turn, could bolster public confidence in the 
reliabilit)’ of DREs to accurately record and tally the vote in elections. 

In addition to die source codes, the software and the voring machines themselves arc 
potentially vulnerable to manipulation. Security for voting systems should guard against 
attempts to camper with software or individual voting machines. When voting machines 
arc tested for certification, a digital fingerprint, also known as a “hash,” of their software is 
often sent to NIST. Following the delivery of new voting machines, a local jurisdiction can 
compare the software on these machines to the digital fingerprint at NIST. This 
comparison either will identify changes made to the software before delivery or, if the 
software is unaltered, will confirm that the sofrsvare on the individual machines meets the 
certified standards. 

Once voting machines arrive at the local jurisdiction, election officials must take 
precautions to ensure security by restriaing access to authorized personnel and by 
documenting access to the machines. 

The process of testing and certifying voting machines is designed mainly to ensure their 
reliability. Testing and certification is conducted under EAC supervision, although some 
.states require additional testing and certification. The state testing can make the process 
more rigorous, panicularly when voting machines arc field tested. When California 
conducted a mock election with new witing machines in July 2005, it found unacceptable 
rates of malftinctions that were not apparent in lab tests." 



Building Confidence in U.S. Elections 



208 


No matter how secure voting machines are or how careiully they are used, they are liable to 
malfunction. To avoid a siiuanon wdiere a machine malftinaion wilt cause a major 
disruption, local jurisdictions need to prepue for Efecnon Day with a backup plan, 
including how the vendor will respond to a machine malfunction and what alternatives, 
including paper ballots, should be made aviuld>le. 


Recommendations on Security for Voting Systems 

3.3.1 The Independent Testing Authorities, under EAC supervision, should have responsibility 
for certifying the security of the source codes to protect against accidental or 
deliberate manipulation of vote results. In addition, a copy of the source codes should 
be put in escrow for future review by qualified experts. Manufacturers who are 
unwilling to submit their source codes for EAC-suf»rvised testing and for review by 
independent experts should be prohibited frwn selling their voting machines. 

3.3.2 States and local jurisdictions should verify upon delivery of a voting machine that the 
system matches the system that was certified. 

33J Local jurisdictions should restrict access to voting equipment and document all access, 
as well as all changes to computer hardware or software. 

3.3.4 Local jurisdictions should have backup plans in case of equipment failure on 
Election Day. 


3.4 INTERNET VOTING 

The Internet has become such a pervasive influence on modern life that it is natural for the 
public and election officials to begin considering ways m use it to facilitate voting. The fint 
binding Internet election for political office took place in 2000, when the Arizona 
Democratic Party used it during its primary. In 2004, the Michigan Democratic Party 
allowed voting by Internet during its caucuses. Meanwhile, Mis.souri announced that any 
metnber of the U.S. milirary serving in combat areas overseas could complete an absentee 
ballot for the general election and email a scanned copy to the Department of Defense, 
which then would forward it to the appropriate local eleaion offices. 

Despite these much-publicoed trials, serious concerns have been raised about the push for 
a “digital democracy.” In 2004, the Department of Defense cancdled its $22 million Secure 
Electronic and Voting Re^tration Experiment (SERVE) program designed to offer 
Internet voting during the presidential elcaion to members of the U.S. military and other 
overseas citizens. The cancellation came after a group of top computer scientists who 
reviewed the system reported that without improved sccuriof, Inrernet voting is highly 
susceptible to fraud. 


S Report of Une Commission on FeiJeral f-lectiwi Reform 





209 


First, there are rfie isntes of privacy and auth«iOcation. When using the Internet, one 
cannot assure voters that their baUot wiU remain sKret. Second, the current system is not 
folly secure. Althou^ dtua sent via the Internet can be OKrypted and then decoded by local 
election administrators, hadcers can comfwomise the This vras the conclusion of the 

computer scientists who rcvie««d the SERVE program for the Pentagon. Due to security 
threats, some state and local dection offices do not allow vote totals to be transmitted via 
the Internet. Third, tk) government or industry standards specifically apply to Internet 
voting technologv'. Tlje EAC may b^n developing such standards, but that work has not 
begun. Finally, Internet votit^ from hwnes and offices may not provide die same level of 
privacy as the voting booth. 

To date, the most comprehensive sturfy of Internet voting is contained in a 2001 report 
sponsored by the Narional Science Foundarion.’* This rqxm urges further research and 
experimentation to deal with the problems posed by this form of voting. Its authors su^st 
that it will take at least a decade i» examine the varioas security and authentication issues. 
Our Commission agrees that such experimentation is necessary, and that the time for 
Internet voting has not yet arrived. 





210 




211 


4 . Expanding Access to Elections 

The Commission bdieves dwt the vicdity of Americas democrac)' depends on the aaive 
participation of our ddzens. Yet, even in the preridentiai election in 2004, when voter 
interest was higher than nonna!, more dan one in three eligible voters did not participate. 
We need to do more to increase voter parricipation, and we have considered numerous 
methods. None of them will solve die prci)lan, but we encourage states to experiment with 
alternatives to raise the levd of voter parricipation. 

Recent elcCTions have seen a substantial increase in early voting and in voting by mail. 
While only 8 percent of ballots w«re cast before Election Day in 1994, by 2004 the 
percenca^ of ballots cast before Section Day had risen to 22 percent. This increase in early 
and convenience voting has had litdc impact on voter turnout, because citizens who vote 
early or vote by mail tend ro vote anyway.^’ Early and convenience voting are popular, but 
there is little evidence that they will ^^ficantly expand participation in elections. '" 

There arc other measures that can be taken to expand 
participation, partiailariy for miliary and overseas voters 
and for citizens with dissfoilities. Thwe is also much to do 
with regard to civic and voter education that a)uld have a 
long-term and lasting effect, panicularly on young people. 

However, we fust need to reach out to ail eligible voters 
and remove any impediments to their participation 
created by the registration process or by identification 
requirements. 

All citizens, including citizens with disabilities, need to 
have access to polling places. Polling places should be 
located in public building and other semipublic venues 
such as churches and communicy centers that comply 
with the Americans with Disability Act (ADA). 

Addiiiortally, polling places should be located and 
protected so that voters can participate free of 
intimidation and harassment. Polling places should not be 
located in a candidate's headquaners or in homes or 
business establishments that are not appropriately 
accessible to voters with disabilities. 

4.1 ASSURED ACCESS TO ELECTIONS 

The Commission’s proposals for a new eleaoral system contain elements to assure the 
quality of the list and the integrity of the ballot. But to move beyond the debate between 
intt^iity and access, specific and imponam steps need to be taken to assure and improve 
access to voting. 

States have a re^nsibility to make voter registration accessible by taking the initiative to 
reach out to cirizens who are not registered, for instance by implementing provisions of the 
National Voter R^i-stration Act that allow voter registration at social-service agencies or by 
conduaing voter n^istration and REAL ID card drives with mobile offices. Michigan, for 



Builfling Confidence in U.S. E!ec!ic 


212 


example, uses a mol»le office to provide a range of services, including 
drivers licenses and vora' ^^stration. This model should be extended 
to all the states. 


Political party and non|»rdsan voter registration drives generally 
contribute to the deccoral ptooss by generating interest in upcoming 
elections and expanding partkipadon. However, they are occasionally 
abused. There reports in 2004 that some party activists failed to 
deliwr voter registiation forms rf diizens who expressed a preference 
for the opposing party. During the U.S. House Administration 
Committee hearings in Ohio, election offidals reported being deluged 
wth voter r^isnadon fonns at die last minute before the registration 
deadline, making it diffietdt to process these registrations in a timely 
manner. Many of the registration forms delivered in October to 
cleaion officials were actually oilleaed in the ^ring. 

Each state should therefore oversee polidcai party and nonpartisan 
voter registration drii^ ro ensure that they' operate effeaively, that 
registration forms are delivered promptly to election officials, that all completed registration 
forms arc delivered to the election officials, and that none are “culled” and omitted 
according to the registrants partisan affiliation. Measures should also be adopted to track 
and hold accountable those who are engaged in submitting fraudulent voter n^istradons. 
Such oversight might consist of training activists who conduct voter registration drives and 
tracking voter registration forms to make sure they are all accounted for. The tracking of 
voter registration forms will require bener cooperation between the federal and state 
governments, perhaps through the EAC, as the fixleral government puts some registration 
forms online. In addition, states should apply a criminal penalty to any activist who 
deliberately fails to deliver a completed voter r^istration form. 



Recommendations on Assured Access to Elections 

4.1.1 States should undertake their best efforts to make voter registration and ID accessible 
and available to all eligible citizens, including Americans with disabilities. Slates 
should also remove all unfair impediments to voter registration by citizens who are 
eligible to vote. 

4.1.2 Stales should improve procedures for voter registration efforts that are not conducted 
by election officials, such as requiring state or local registration and training of any 
"voter registration drives." 

4.13 Because there have been reports that some people allegedly did not deliver registration 
forms of those who expressed a preference for another party, states need to take special 
precautions to assure that all voter registration forms are fully accounted for. A unique 
number should be printed on the registration form and also on a detachable receipt so 
that the voter and the state election office can track the status of the form.” In addition, 
voter registration forms should be returned within 14 days after they are signed. 


Report of the Commission on Feciwel Election Reform 



213 


4.2 VOTE BY MAIL 

A growing number of Americans vote by mail. Oregon moved entirely to a vote-by-mail 
system in 1998, and the practice of casring ballots by mail has continued to expand 
nationwide as vottrs and election officials seek alternatives to the traditiotiai system of 
voting at polling stations. TTie state le^datures of Qdifomia and of Washington state have 
cotjsidered legislation to expand the use of vote by mail, and in 24 states no excuse is 
required to vote absentee. 

The impact of vote by mail is miKd. Ihoponents argue that vote by mail fecilitates 
participation among groups that ecpericnce low voter turnout, such as elderly Americans 
and Native Americans. 

While vote by mail appears to increase turnout for local elections, there is no evidence that 
it significantly expands panici|Ktrion in federal elections.'" Moreover, it raises concerns 
about privacy, as citizens voting at home may come under pressure to vote for certain 
candidates, and it increases the risk of fraud. Ore^n appears to Itave avoided significant 
fraud in its vote-by-mail elections tw 
introducing safi^uards to protect bdlot 
integrity, including signature verification. 

Vote by mail is. however, likely to increase 
the risks of fraud and of contested 
elections in other states, where the 
population is more mobile, where there is 
some history of troubled elections, or 
where the safoguards for ballot int^rity 
are weaker. 

The case of King County, Washington, is 
instructive. In the 2004 gubernatorial 
elections, when two in three ballots there 
were cast by mail, authorities lacked an 
effective system to track the number of 
ballots sent or returned. As a result, King 
County eicaion officiab were unable to 
account for all absentee ballots. Moreover, a number of provisional ballots were accepted 
without signature verification.^' The fiiilures to account for all absentee ballots and to verify 
signatures on provisional ballots became issues in the protracted litigation that followed 
Washington state’s 2004 gubernatorial election. 

Vote by mail is popular but not a panacea for declining participation, While there is little 
evidence of fraud in On^on, where the entire state votes by mail, absentee balloting in 
other states has been one of the major sources of fraud. Even in Oregon, better precautions 
arc needed to ensure rfiat the return of ballots is not interested. 

The evidence on “Mirly” voting is similar to that of vote by mail. People like it, but it does 
not appear to increase voter participation, and there are some drawbacb. It aUows a 
significant portion of voters to cast their ballot before they have all of the information that 
will become available to the rest of the electorate. Crucial information about candidates 
may emerge in the final weeks or even days of an eleaion campaign. Early and convenience 
voring also detracts from the collective expression of citizenship that takes place on Election 



Building Confidence in U.S. (-lections 


214 


Day. Moreover, the cost of administering elections and of running aimpaign.s tends to 
increase when early and mail-in voting is conducted in addition to balloting on Election 
Day. Early voting should commence no «rlier rfiM 15 days prior to the election, so that 
all voters will cast their ballots on die basb of kigely comparid>Ie information about the 
candidates and the issues. 


Recommendation on Vote by Mail 

4.2.1 The Commission encourages further research on the pros and cons of vote by mail and 
of early voting. 


4.3 VOTE CENTERS 

Another alternative to voting at polling stations is the innovation of “vote centers,” 
pioneered by Larimer County, Colorado. Vote centers arc larger in size than precincts but 
fewer in number. They are dispersed throughout the jurisdiction, but close to heavy traffic 
routes, larger residential areas, and major employers. These vote centers allow citizens to 
vote anywhere in the county rather than just at a designated prccina. Because these vote 
centers employ economics of scale, fewer poll workers are required, and they tend to be 
more professional. Also, the vote centers are reported to use more sophisticated technology 
that is more accessible to voters with disabilities. Vote centers eliminate the incidence of 
our-of-precinct provisional ballots, but they need to have a unified voter database that can 
communicate with all of the other centers in the counwto ensure that eligible citizens vote 
only once. 

While vote centers appear to have operated effectively in Larimer County, further research 
is needed to determine if the coses of establishing vote centers arc offset by the savings of 
eliminating traditional polling sites. Moreover, because vote centers replace traditional 
voting at precincts, which are generally closer to a voter’s home, it is not clear chat citizens 
actually view them as more convenient. 


Recommendations on Vote Centers 

4.3.1 States should modify current election law to allow experimentation with voting centers. 
More research, however, is needed to assess whether voting centers expand voter 
participation and are cost effective. 

4J.2 Voting centers need a higher quality, computer-based registration fist to assure that 
citizens can vote at any center without being able to vote more than once. 


Report of the Commission on Federal Election Reform 




215 


4.4 MILITARY AND OVERSEAS VOTING 

Mitkary and o\'Ctseas voting pieseot subscandal Ic^tical challenges, yet we cannot 
overstate the imperative of &cilicinng panidparion in cicaions by military and overseas 
voters, particularly by «rvioe men and women who put their lives on the line for their 
country. The Commission calls on every state, with federal government assistance, to make 
every effort to provide all military and ovmeas voters with ample opportunity to vote in 
federal elections. 

More than six million eil^ble voters serve in the Armed 
Forces or live overseas. Th«e voters include 2.7 million 
military and their dependents and 3-4 million diplomats. 

Peace Corps volunteers, Mid oAcr civilian government 
and other citixens overseas.*^ 

Voter turnout ammig members of the aimed forces is 
high. So is the level of frustration they experience when 
their votes cannot be counted. TTiis happens largely 
becaase of rhe time required ly the three-step process of 
applying for an absentee ballot, receiving one, and then 
returning a completed ballot. The process is complicated 
by the diifercnces Mnong states and among localities in 
the registration deadline, ballot format, and requirements 
for ballot return, and it is exacerbated because of the 
mobility of service men and women during a time of 
conflict. Since September 11, 2001, more than 500.000 
National Guard and Reserve personnel have been 
mobilised, and many were relocated before they received 
their absentee ballots. 

Congress passed the Uniformed and Overseas Citizens 
i^sentee Voting Act (UOCAVA) in 1986 to help eligible members of the armed services 
and their fomilies, and other citizens ovcrsea.s, to vote. UOCAVA required each state to have 
a single office to provide information on voter registration and absentee ballot procedures 
for military voters. The Help America Vote Act of 2002 (HAVA) recommended — but did 
not require — that this state office should coordinate voting by military personnel by 
receiving absentee ballot applications and collecting voted ballots. The introduction of 
statewide voter registration databases under HAVA prowdes an opportunity to put this 
recommendation into practice. But aside from Alaska, vdiich already had a single state 
office, no state has centralized the processing of absentee bailoB. This is another example as 
to why recommending, rather than requiring, a course of action is insufficient. 

The Commission recommends that when registering members of the armed forces and 
other overseas voters, states should inquire whether to send an absentee ballot co them 
automatically, thus saving a step in die process. 

In the 2004 presidential eleaion, approximately one in four military voters did not vote for 
a variety of reasons: The absentee balbts were not rccumed or arrived too lace; they were 
rejected for procedural deficiencies, such as a signature not properly witnessed on the back 
of the return envelope: blank ballois were returned as undeliverable; or Federal Post Card 
Applications were rejected.*’ 



BuilOing Confidence in l!.S. Elec^ons 


216 


The U.S. Department of Defends FetiHal Voting Asastance Program, which assists 
military and overseas voters, tried to ieiu<£ the time bg for absentee voting by launching 
an electronic voting experiment. Howevei; this experiment was ended because of 
ftindamenia! security problems (see above on “Internet voting”).'*^ In the meantime, the 
Federal Voting Assistance Program encouraged states K) send blank ballots out electronically 
and to accept voted ballots by fex. There now arc 32 states that permit fax delivery of a 
blank ballot to military voten and 25 states that allow military votCTs to return their voted 
ballot by fax. !n addition, some jurisdictions allow dte ddhreiy of blank ballots by email.*' 
The return of voted ballots by fex or anail, however, is a violation of the key principle of a 
secret ballot, and it is vulnerable to abuse or haud. 

Although the Uniformed and Overseas Citizwts Absentee Voting Act applies to both 
military and nonmiliiary voters oveiseas, ptocedures to ^cilitace ov'erscas voting serve 
military voters better than civUkuis. To provide civilian oversea.s voters with equal 
opportunities to participate in federal elections, new approaches are needed at both the 
federal and state levels. 


Recommendations on Military and Overseas Voting 

4.4.1 The law calling for state offices to process absentee ballots for military and overseas 
government and civilian voters should be implemented fully, and these offices should be 
under the supervision of the state election offices. 

4.4.2 New approaches should be adopted at the federal and state levels to facilitate voting 
by civilian voters overseas. 

4.43 U.S. Department of Defense (DOD) should supply to all military posted outside the 
United States a Federal Postcard Application for voter registration and a Federal 
Write-In Absentee Ballot for calendar years in which there are federal elections. With 
adequate security protections, it would be preferable for the application forms for 
absentee ballots to be filed by Internet. 

4.4.4 The states, in coordination with the U.S. Department of Defense's Federal Voting 
Assistance Program, should develop a system to expedite the delivery of ballots to 
military and overseas civilian voters by fax, email, or overnight delivery service, but 
voted ballots should be returned by regular mail, and by overnight mail whenever 
possible. The Defense Department should give higher priority to using military aircraft 
returning from bases overseas to carry ballots. Voted ballots should not be returned by 
email or by fax as this violates the secrecy of the ballot and is vulnerable to fraud. 

4.4.5 All ballots subject to the Uniform and Overseas Civilians Absentee Voting Act must 
be mailed out at least 45 days before the election (if request is received by then) or 
within two days of receipt after that. If the ballot Is not yet set, due to litigation, a 
late vacancy, etc,, a temporary ballot listing all settled offices and ballot issues must 
be mailed. 


Report of the Commission on Federal Eler.tion Reform 





217 


4.4.6 States should count the ballots of military and overseas voters up to 10 days after an 
election if the ballots are postmarked by Election Day. 

4.4.7 As the technology advances and the costs decline, tracking systems should be added to 
absentee ballots so that military and overseas voters may verify the delivery of their 
voted absentee ballots. 

4.4.8 The Federal Voting Assistance Program should receive a copy of the report that states 
are required under HAVA to provide the EAC on the number of absentee ballots sent 
to and received from military and overseas voters. 


4.5 ACCESS FOR VOTERS WITH DISABILITIES 

There arc almost 30 million voting-^ed Americans with some kind of disability — about 
15 percent of the peculation (see Table 3 on 40). Less than half of them vote. There 
arc federal laws to lacilitate voting and registration by elipble Americans with disabilities, 
but these laws have not been implemented with any vigor. As a result, voters with 
disabilities still fece serious barriers to voting.* Congress pa.ssed the Voting Accessibility for 
the Elderly and Handicapped Aa in 1984 and the 
Americans with Disabilities Aa of 1990, which required 
local authorities to make polling places physically 
accessible to people with disabilities for federal elections. 

Yet a Government AcoHintabiiity Office survey of the 
nations polling places in 2000 found that 84 percent of 
polling places were not accessible on Eleaion Day. By 
2004, accessibility for voters with disabilities had 
improved only marginally. Missouri, for example, 
surveyed every polling place in the state and found that 71 
percent were not accessible. Most other states have not 
even conducted surveys.^’ 

There is similarly weak implementation of laws designed 
to fecilitate voter registration by citizens w-ith disabilities. 

Seaion 7 of the National Voter Registration Act (NVRA) 
requires state*funded agencies which provide services to 
citizens with disabilities to offer the opportunity to 
register citizens to vote. Implementation of this 
requirement, according to advocates for voters with 
disabilitie.s, is rare or poor.** 



Building Confidence in U.S. Elections 




218 


HAVA provided additional support to Sonion 7 of NVRA by including social-service 
agencies as places to register voters, but only one stare, Kentucl^, has complied with Section 
7, according to advocates for voters disabilities. MotKJver, at the current time, there is 
not a single case where the new stacewiefe TOter d<uabases comply with Section 7/’ Thus, 
12 years after the National Voter Ri^stration Act was passed, voters with disabilities still 
cannot apply for voter r^stration at all social s«vicc offi«res. 


TABLE 3: Estimates of U.S. Voting Population with DisaMlities tqr Type j 

1 Disability Type 

Populatsn 

Age 16 ai-<i Older 
{in irfllwB) 

Percent of Total j 

Voting Age | 

Population 1 

Sensory, Physical, Menial or Self-Care Disability 

29.5 

15% 

Self-Care Disability 

64 

3% 

Physic.Ji Oisahitity 

12.5 

6% 

Mental Disability 

4.0 

2% 

Sensory Disability 

3.9 

2% 

Sensory and Physical Disability 

2.5 

1% 

Sensory, Physical, and Mental Disability 

20 

1% 

Total Volmg Age Population in the U.S. (18 and older) 

203.0 

100% 

NOUS Repondmu »blc to itporr moit ifan on? 



aounces: U.S. Census Stimu. SUcvicd Types of fKuUlicf l« the CniKan Noflinstituuonaliccd (\>pula<>on 
tOOOi U.S, Census Bureau. Voimg and Rejisrtiiicn « die Ebedonof Nosetuber 2000. 

5 Years and Over by Age: 


Recommendations on Access for Voters With Disabilities 

4.5.1 To improve accessibility of polling places for voters with disabilities, the U.S, 
Department of Justice should improve its enforcement of the Americans with 
Disabilities Act and the accessibility requirements set by the Help America Vote Act. 

4.5.2 States should make their voter registration databases interoperable with social-service 
agency databases and facilitate voter registration at social-service offices by citizens 
with disabilities. 

4.5J States and local jurisdictions should allow voters with disabilities to request an 

absentee ballot when they register and to receive an absentee ballot automatically for 
every subsequent election. Local election officials should determine which voters with 
disabilities would qualify. 


4.6 RE-ENFRANCHISEMENT OF EX-FELONS 

Only Maine and Vermont allow incarcerated citiz«w to vote. In all other states, citizens 
who are convicted ofa felony lose their right to vore, cither temporarily or permanently. An 
estimated 4.65 million Americans have currently or permanently lost their right to vote as 
a result ofa felony conviabn. Most states reinstare that right upon completion of the full 
sentence, including of parole, but three states — Florida, Kentucky, and Virginia — 
permanently ban ^1 eX'felon.$ from voting, and another 10 states have a permanent ban on 


™ Report of the Commission on Fetleral Election Reform 




219 


voting by certain categories of ex-felons."* These laws have a disproportionate impact 
on minorities. 

Some states impose a waiting period afer Wons complete their sentence before they can 
vote. Few states take the initiarive K) inform ex-feloos when their voting rights are restored. 
As a result, only a small portion the ex-felons who have regained their voting rights are 
registered to vote. 

Proponents of re-enfranchisement atgue dmt ex-felons have paid their debt to society when 
they have completed their fall sentence. Resmrir^ their right to vote would encourage them 
to reintegrate into society. Each state thet^rc should atttomacicaliy restore the voting 
rights of ex-felons who have completed thdr fall sentena, including any terras of parole 
and compensation to vicaiims. Opponents of re-enfeanchisement, however, see this as a 
"punishment” issue rather thai a “voting rights" issue. The>' believe that each state should 
be free to decide whether to restore die voting rights of ex-felons. States set punishment for 
state crim«, and this often extends beyond die completion of a felon's sentence. Ex-felons 
are, for instance, usually barred from purchasing firearms or from getting a job as a public- 
school teacher. Nonethcl«s, weighing both sides of the debate, the Commission believes 
that voting rights should be restored ro certain ca^gories of felons after they' served the debt 
to sodccy. 


Recommendations on Re-Enfranchisement of Ex-Felons 

4.6.1 States should allow for restoration of voting rights to otherwise eligible citizens who 
have been convicted of a felony (other than for a capital crime or one which requires 
enrollment with an offender registry for sex crimes) once they have fully served their 
sentence, including any term of probation or parole. 

4.6.2 States should provide information on voter registration to ex-felons who have become 
eligible to vote. In addition, each state's department of corrections should automatically 
notify the state election office when a felon has regained eligibility to vote. 


4.7 VOTER AND CIVIC EDUCATION 

Among the simplest ways to promote greater and more informed panicipation in elections 
is to provide citizens with basic information on voting and the choices that voters will face 
in the polling booth. HAVA requires only that basic voter information, including a sample 
ballot and instructions on how to vote, be posted at each polling site on Eleaion Day. 
However, additional voter information is needed. 

States or local jurisdiaions should provide information by mail and on their Web sites to 
educate voters on the upcoming ballot — on the issues and the candidates, who will 
provide the information about ihemseK-es. Local election officials should set limits on the 
amount — but not the content — of information to be provided by the candidates. In 
Washington state, for example, every household is mailed a pamphlet with information on 
how to register, where to vote, and texts of election laws and proposed ballot initiatives and 


BuiftJing Confidence in U.S. Elections 





220 



referendtims. This voters pamphlet also has a picture of each 
candidate for ^tewide office and a statement of the candidates 
goak for Ae office they seek. In addition, there should be greater 
use of the radio and television to communicate these messages. 

Eflforts to provide voter information and education to young 
Americans merit panicailar atrenrion. Voter turnout among youA 
declined steadily from Ae 1970s to 2000. when it was 24 percent 
lower than nimcMit of Ac entire electorate. In 2004, however, there 
was a surge of 1 1 percent in voter turnout among Americans aged 
18 to 24, and Ac ^p between youA turnout and overall turnout 
dropped to 17 percent (see Table 4).'' 

While participation by youth increased significandy in the last 
election, it continues to lag for behind the rest of the population. It 
can and should be increased by instructing high school students on 
their voting rights and dvic responsibilities. Just one course in civics 
or American ^vernment can have a strong influence on youth 
paniciparion in elections. According to a 2003 survey, about twice 
as many young Americans who have taken a civics course are 
roistered to vote and have voted in all or most elections than 
young Americans who have never taken such a course.'^ 

Moreover, Americans want public schools to prepare their Aildrcn for citizenship and to 
provide better civic education. While most Americans believe that the most important 
go^ of public schools is to develop basic skills, seven in 10 respondents to a 2004 survey 
agreed that preparing students to become responsible citizens is a “central purpose of 
public schools.” When asked to grade the dvic education programs of public schools, 54 
percent of respondents give these programs a “C” and 22 percent give them a “D."" 

It is difficult to assess the current efforts of state and local voting and civic education 
programs because only one state, Florida, publishes a report on its aaivities and spending 
in this area. We recommend that more states and local jurisdtaions follow Florida's 
example in order to generate more information on the most effective methods for voter 
and civic education. 


TABLE 4: 

Voter Turnout in Presidential Elections by Age, 1972-2004 

1 Age Range 

1972 

1976 

1980 

1984 

1988 

1992 

1996 

2000 

2004 1 

16 to 24 years 

49.6 

42,2 

39.9 

40.8 

36.2 

42.8 

32.4 

32.3 

41.9 

25 to 44 years 

62,7 

58.7 

58,7 

58.4 

54.0 

58.3 

49.2 

49.8 

52.2 

45 to 64 years 

70.8 

68.7 

69.3 

69.8 

67.9 

70.0 

64.4 

64.1 

66.6 

65 yearsn- 

63.5 

62.2 

65.1 

67.7 

68-8 

70.1 

67.0 

67.6 

68.9 

saunct: U.S. OnsuiButc 

u 12004). 










Report of the Commission on federal Efeetion Reform 




221 


Recommendations on Voter and Civic Education 

4.7.1 Each state should public a report on its voter education spending and activities. 

4.7.2 States should engage in appropriate voter education efforts in coordination with local 
election authorities to assure that all citizens in their state have the information 
necessary to participate in the election process. 

4.7.3 Each state should use its best efforts to instruct all high school students on voting 
rights and how to register to vote, fn addition, civic education programs should be 
encouraged in the senior year of high K:hool, as these have been demonstrated to 
increase voter participation by youth. 

4.7.4 Local election authorities ^ouid mail written notices to voters in advance of an 
election advising the voter of the date and time of the election and the palling place 
where the voter can cast a ballot and encouraging the citizens to vote. The notice 
should also provide a phone numlwr for the voter to contact the election authorities 
with any questions. 

4.7.5 States should mail pamphlets to voters, and post the pamphlet material on their Web 
sites, to provide information about the candidates for statewide office and about ballot 
initiatives and referenda. 

4.7.6 The federal government should provide matching funds for the states to encourage civic 
and voter education and advertisements aimed to encourage people to vote. 



222 







OFFiClAL^^Ii 






223 


5. Improving Ballot Integrity 

Because the integrity of the ballot is a hdlmark of democracy, it is imperative that election 
officials guarantee elie^ie voiere the opportunity to vote, but only once, and tabulate 
ballots in an accurate and &ir manner. 


5.1 INVESTIGATION AND PROSECUTION OF ELECTION FRAUD 

While election fraud is difficult to measure, it occurs. The U.S. Department of Justice 
has launched more than 180 inrestigations into election fraud since October 2002. 
These investigations hare resulted in charges for multiple voting, providing false 
information on their felon status, and other offenses against 89 individuals and in 
convictions of 52 individuals. The convictions related to a variety of election fraud 
offenses, from vote buying to submitting false voter registration information and 
voting-related offenses by non-driaens.^ 

In addition to the federal investigations, state aitome)^ general and local prosecutors handle 
cases of election fraud. Other cases are never pursued because of the difficulty in obtaining 
sufficient evidence for prosecution or because of the low priority given to eleaion fraud 
cases. One district attorney, for example, explained that he did not pursue allegations of 
fraudulent voter registration because that is a viaimless and nonviolent crime.” 

Election fraud usually attracts public attention and comes under investigation only in close 
elections. Courts may only overturn an election result if there is proof that the number of 
irregular or fraudulent votes exceeded the margin of viaory. When there is a wide mar^n, 
the losing candidate rarely presses for an investigation. Fraud in any degree and in any 
circumstance is subversive to the electoral process. The best way to maintain ballot integrity 
is to investigate all credible allegations of election fraud and otherwise prevent fraud before 
it can affect an election. 

Investigation and proseaition of election fraud should include those acts committed by 
individuals, including election officials, poll workers, volunteers, challengers or other 
nonvoters associated with the administration of elections, and not just fraud by voters. 


Recommendations on Investigation and Prosecution of Election Fraud 

5.1.1 In July of even-numbered years, the U-S. Department of Justice should Issue a public 
report on its investigations of election fraud. This report should specify the numbers of 
allegations made, matters investigated, cases prosecuted, and individuals convicted for 
various crimes. Each state's attorney general and each local prosecutor should issue a 
similar report. 

5.1.2 The U.S. Department of Justice's Office of Public Integrity should increase its staff to 
investigate and prosecute election-related fraud. 


Building Confidence in U.S. Elections 





224 


5.1.3 In addition to the penalties set by the Voting Rights Act/ it ^ould te a fedeca! felony 
for any individual, group of indMduals, or organization to engage in any act of 
violence, property desLniction (of more than $500 value), or threatened act of violence 
tfiat is intended to deny any individual his or her lawful right to vote or to participate 
in a federal election. 

5.1.4 To deter systemic efforts to deceive or Intimidate voters, the Commission recommends 
federal legislation to prohibit any individual or group from deliberately providing the 
public with incorrect information about election procedures for the purpose of 
preventing voters from going to the polls. , 


5.2 ABSENTEE BALLOT AND VOTER REGISTRATION FRAUD 

Fraud tKcurs in several waw. Absentee ballots remain the lar^st sotirce of poteiicid voter 
fraud.'* A notorious recent case of absentee b^ot ftaiKi was Miami's mayoral election of 
1 998, and in that case, the jut^c declared the election fraudulent and cilled for a new 
election. Absentee ballotit^ is vulnerable to abuse in several ways; Blank ballots mailed ro 
the wrong addrc.ss or to lar^ residential buildings mi^t get intercepted. Citizens who vote 
at home, at tiursing homes, at the workplace, or in church are more susccprd)ie to pressure, 
overt and subtle, or to intimidation. Vott buying schemes are for more difficult to detect 
when citizetis vote by mail. Stares dterefore should reduce the risks of fraud and abuse in 
absentee voting by prohibiting “third-^sarty” conizations, candidates, and political parry 
aaivists from handling absentee balloK. States also should make sure that absentee ballots 
leccivcd by cieaion officials before Election Day are kept secure until they are opened and. 
ctjiinred. 

Non-citizens have registered to wte in several recent eleaions. Following a di.^utcd 1996 
congressional dectioat in California, the Commiaee on House Oversight found 784 invalid 
votes from individuds who had registered illegally. In 2000, random cheeb by the 
i::tonoluiu city clerk’s office found about 200 registered voters who had admitted they were 
not U.S. citizens.'’ In 2004, at least 35 foreign citizen.s applied for or received voter cards 
in Harris County, lexas, and non-citrzens were found on the voter registration lists in 
Maryla.nd as well.'* 

The growth of “third-party” (unofficial) voter registratiott drives in recent elections has led 
to a rise in re|x>rts of voter registration fraud. While media attention focused on reports of 
fraudulent voter registrations witlt the names of cartoon characters and dead people, 
officials in 10 states investigated accusations of voter registration fraud scemmiixg from 
elections in 2004, and between October 2002 and July 2005, the U.S. prosecuted 1 9 
people chaigcd with voter n^isiration fraud.** Many of these were submitted by third-party 
oiganizations, ofen by individuals who w«re paid by the piece to regisrer vocens. 

States sitould consider new legislation to mmimize fraud in voter registration, particularly 
to prcvciit abuse by thitd-pany organizations that pay for voter registration by the piece. 
Such icgi-slation might direct election offices to check die identity of individuais registered 
through third-party voter n^istration drives and to track the voter registration frsrms. 

HAVA requires citizens who regisrer by mail to wre in a scite for the first time to provide 


ReiMrt of ttie Cominissic 


Federal Election Reform 





225 


an ID when they re^sier or when rh^'vote. Some states has-e interpreted this rct]iiirt-me!U 
to apply only to voter tegtstrarion toons sent to election offices b>' mail, not to forms 
delivered by third-parc>' organi^ttons. a residt, neither the identity nor cite acnsal 
existena: of applicants is verified. Ail citsens who tE^ister to vote with a mail-in lorm, 
wiied’.er that form is actually sent by mail or is instead hand-delK^iod, sht^uid cotitply with 
1 1 AV% requirements or with stricter state requirements on voter ID, by providing proof of 
itietuity either with dteir registration application or when 
tiiey appear at the polling station on Election Day. In this 
way, election offices will be oblig^ to verity die identity 
of ev'ery citcen who registers to vote, whether or not the 
regisrration txxurs in person. 

In addition, states should introduce measures to track 
voter regisrration forms that are handled by third-party 
orrfiniziitions. By assigning a serial number to aU forms, 
election officials will be able to track the forms. This, in 
turn, will help in any investigations and pros«mtions and 
thus will serve to deter voter registration fraud. 

Many .scares allow the representatives of candicktes or 
jxjlitical parties to challenge a perrons eligibility to register 
or vote or to challenge an inaccurate name on a %'oter roil. This practice of challenges may 
contribute to ballot int^rity', but it gui have the effea of intimidating eligible voters, 
preventing them from cisting their ballot, or otherwise disrupting the voting pixKcss. New 
procedures arc needed to protect voters from mtiraidaring taaics while also offeritig 
oppontjnitics to keep the registration rolls accurate, and to provide observers with 
meaningful opportunities as monitor the condua of the elcaion. ,Scates should define clear 
procedures' for challenges, which should mainly be rai.sed and re.solvcd before the deadline 
for voter rcgi,srration- After that, challengers will need to defend their kce actions. On 
Election Day, rhc).’ should direct their concerns to poll workers, not to voters directly, and 
should in no way interfere with the smoodi ojwracioft of the polling station. 



Recommendations on Absentee Ballot and Voter Registration Fraud 

5.2.1 State and local jurisdictions should prohibit a person from handling absentee ballots 
other than the voter, an acknowledged family member, the U.S. Postal Service or other 
legitimate shipper, or election officials. The practice in some states of allowing 
candidates or party workers to pick up and deliver absentee ballots should be 
eliminated. 

5.2.2 Aii states should consider passing legislation that attempts to minimize the fraud that 
has resulted from "payment by the piece" to anyone in exchange for their efforts in 
voter registration, absentee ballot, or signature collection. 

523 States sftould not take actions that discourage legal voter registration or get-out-the- 
vote activities or assistance, including assistance to voters who are not required to vote 
in person under federal law. 


BuikliiiiJ CofUlCence in U.S. Else 



226 





227 


6. Election Administration 

To build confidence in the dectoiai pnxsss, it is important that elections be administered in 
a neutral and professional nunner. 0«:tion ofihdals, from county clerks and election boatd 
members to secretaries of state and U^. Efelion Assistance Qjmmission members, generally 
have shown great skill and dedication in tulministering cieaions in a fair and impartial 
manner. The insdtudons of election administiation, however, are in need of improvement, 
so that they instill ^eater public tronfkientx in the election process and allow election 
officials to cart)’ out their responsibilities more effectively (see Table 5 on p^e 52). 

Elections are contests for pow^and, as sudt, it is natural that politics will influence every 
part of the contest, indudir^ the administtadon of elections. In recent yeare, some parti^n 
election officials have played roles diat have weakened public confidence in the electoral 
process. Many othCT pardsan decdon officials have tried to execute their responsibilities in 
a neutral manner, but the foct tim thty are pardsan somedmes raises suspidons that they 
might favor their own party. McKt other democratic countries have found ways to insulate 
electoral admlnistradon from politits and partisanship by establishing truly autonomous, 
professional, and nonpaidsan independent national clecrion commissions that function 
almost like a fourth btandi of government. The United States, too, must take steps to 
conduct its elcCTions impardally both in practice and in appeatance. 

Impartial election administtadon, however, is not enou^. Eiecdons must al.® be 
administered effectively if they are to inspire public ojnfidence. Long lines at polling 
stadons, inadequately trained poll workers, and inconsistent or incorrect application of 
electoral procedures may have the effea of discouraging voter parridpation and may, on 
occasion, raise questions about bias in the way elections are conducted. While problems at 
polling stations usually reflect a shortage of trained poll workers or poor management of 
polling station operations, rather dian an attempt to seek partisan advantage, the result is 
much the same. Such prol>lems raise public suspicions or may provide grounds for the 
losing candidate to contest the result in a close elcaion. 

6.1 INSTITUTIONS 

The intense partisanship and the dose division of the American electorate, coupled with 
the Electoral Col!^ system, raise the possibility' of another presidential election decided by 
a razor-chin margin in one or more battleground states. Although voting technology is 
improving, presidential eleaions are held in a decentralized system wirfi a patcltwork of 
inconststenc rules. In addition, in recent years, election challenges in the courts have 
proliferated. 

Close eleaions, especially under these conditions, put a strain on any system of election 
administration, and public tpinion demonstrates this. Significant segments of the 
American public have expressed concern about voto- fraud, voter suppression, and the 
fairness of the election process in genera!.'" While substantially more Democrats than 
Republicins surveyed in national polls considered the 2004 presidential election unfair, 41 
percent more Republicans than Democrats said the electoral process was unfeir in 
Washington state’s 2004 gubernatorial eleaion, which the Democratic candidate won by a 
very narrow mat^n.*' The losing side, not surpriangly, is unhappy with the election re.sult, 
but what is new and dangerous in the Lfruied States is that the supporters of the losing side 
are bs^nning to believe that the process is unfliir. And this is true of both parties. 


Biiildif® Confidence in U.S. Elections 



228 


Ac irs baK, the problem is a oarabusdble mbmue of partisan suspicion and irregularities 
born in part from a decentralized ofdecdon adminisnation with difiering state laws 

determining voter registration anddig^tHli^ and whether a ballot is actually counted. The 
irregularities, by and laige, stem from a lack of resources and inadequate training for 
election workers, particularly those who work just on Q«:tion Day. In other countries, such 
irregularities sometimes lead ro street f«otesB or violence. In the United States, up until 
now, wc have been relatively fortunate that irr^larities are addressed in court. The 
dramatic increase in election-related lirigation in recent years, however, does not enhance 
the public’s perception of elections and may in feet weaken public confidence. The average 
number of election challenges per )rear has increased from 96 in the period of 1996 to 1999 
to 254 in 2001 to 2004.® 

Another major source of public mistrust of the election process 
is the perception of partisanship in actions taken by partisan 
eleaion officials. In a majority of states, election administration 
comes under the authority of the secretary of state. In 2000 and 
2004, both Republican and Democratic secretaries of state were 
accused of Was because of their discretionary decisions — such 
as how to interpret unclear provisions of HAVA. The issue is 
not one erf" personali^' or a particular political party because 
auctions and irregularities dogged officials from both parries. 
The issue is the institution and the perception of partiality that 
is unavoidable if the chief elcalon officer is a statewide 
politician and the eleaion b dose, has irr^ularities, or is 
disputed. The perception of partiality b as important, if not 
more so. than the reality. 

Bipartisan election administration has the advantage of 
allowing both panics to participate, but the flaws of such a 
system are evident in the experience of the Federal Election 
Commission (FEQ. The FEC has often become deadlocked on key issues. In the cases 
when the FEC commissioners agree, they sometimes prorect the two parties from 
enforcement rather chan represent the public’s interest in regulating campaign finance. 

NONPARTISAN ELECTION ADMINISTRATION. To minimize the chance of eleaion meltdown 
and to build public trust in the electoral process, nonpanisan structures of eleaion 
administration are very important, and eleaion administrators should be neutral, 
professional, and impartial. At the federal level, the U.S. Eleaion Assistance Commission 
should be reconstituted on a nonpartisan basb to exercise whatever powers arc granted by 
law, and the EAC chairperson should serve as a national spokesperson, as the chief eleaions 
officer in Canada does, for improving the eleaoral process. States should consider 
transferring the authority for conducting elections from the secretary of state to a chief 
eleaion officer, who would serve as a nonpartisan official. 

States could select a non[»rtban chief elections officer by having the individual subject to 
approval by a super-majority oftwo-thirds of one or boA chambers of the state legislature. 
The nominee should receive clear bipartisan support. This seleaion process is likely to yield 
a respeaed consensus candidate or, at least, a nonpartisan candidate. 



Report of Commission on FeOeral Election Reform 


229 


The EAC, in its 18 mondis of c^jeration, has managed to make its decisions by consensus. 
While this is a s^ificant accomplishment for a bipartisan, four-member cornmission, it 
has come at a coa. The EAC has l«en slow to issue key guidance, and the guidance it has 
issued has often been va^e. TTie process of fot^ng consensus among the EAC’s 
commissioners appears to have slowed and vs^tered down key decisions, particularly as they 
have come under pressure ftom their respective political parties. If the EAC were 
reconstituted ^ a nonpaiti^ commission, it would be better able to resist partisan political 
pressure and operate more dBdcntly and effartiwly. 

To avoid the dangers of bipartisan staiem^e, the EAC should be reconstituted as a five- 
member commission, wirh a strong diaitperaon and nonpartisan members. I his would be 
done initially by adding a fifoi position to the EAC and making that position the 
chairperson, when the current chairperson’s term ends. The new EAC chairperson would 
be nonpartisan, nominated by the President, and 
confirmed by the U.S. Senate. Later, as the terms of other 
EAC commissioners expired, they would be replaced by 
nonpartisan commissioners, subject to Senate 
confirmation as weD. 

INDEPENDENCE AND AUTHORITY. For the positions of 
EAC commissioners and state chief elections officers to 
remain both nonpartisan and efiective, Aey must be 
insulated from political pressure. This can be done by the 
rerms of appointment and die lui« of tesponsibility. The 
EAC commissionen and sratc diief elections officers 
siiould receive a long-term appointment, perhaps 10 
years. The grounds for dismissal should be limited, similar 
CO the rules for removal of a federal or state judge. The 
EAC should have the autonomy to oversee federal cicaion laws that Congress directs it to 
implement and advise Congress and the President on needed improvements in election 
systems. State chief elections officers should have similar autonomy. 

Under HAVA, the EAC distributes federal funds to the states, issues voluntary guidance on 
HAVAs mandates, and serves as a clearinghouse for information on elections. In addition, 
it develops standards for voting equipment and underrakes research on elections. 

The flaws identified in the deaoral system described in this report vrere due in large part to 
a very decentralized system with voting standards implemented in different ways throughout 
the country. If HAVA is fully and effcaively implemented, states should be able to retrieve 
authority to condua elccrions from counties and impose a certain degree of uniformity. 

In this report, we have proposed the kinds of reforms needed m improve significantly our 
elcCTora! proce». To implement those reforms, a new or invigorated institution like the 
FAC is needed to undenake the following tasks: 

• Statewide registration lists need to be oi^nized top-down w'ith states in 
charge and counties assisting states rather than the other way around; 

• A template and a system is nrnlcd for sharing voter data across states; 



Buildir^ Confidence in U.S. Electicws m 


230 


•The “REAL ID”needstobeaiapcedfofvoai^purpCBCs and linked to the 
registration list; 

• To ensure chat the new tequiFcntoics — ID and registration list — do not 
impede access to voting, an expanded effijrt is needed to teach out and 
register new voters; 

•Quality audits of voter dautbasa and oerafication of voting machine 
source codes is essential; 

• Voting machines need a vorcr-verifiaHe audit trail; and 

• Extensive research cm the (^>er»ions and technology of elections is needed. 


j| TABLES: Types of Electoral Administration |j 

1 1 




Institution * 




1; Government 5* 9 

0 

3 

i7a4%i '■! 

,j Government supervised 

|i by judges or others 6 2 

(, 

14 

28(23%) ! 

:1 Independent electoral 

■i commission 25 19 

12 

19 

75(63%) I 

■■ Tl« U.S. in chi» 




SOURCE; tlniml MamigfMtnrSaA’t/ as I'lainiihv 

Biita,; for fltvcloptneo! hotitr. 20110). 

(NV: Ifciwd Naiiom Dtv'dopmcnr J 


These reforms, but particularly those that require conneaing states, will not occur on their 
own. The EAC needs to have sufficient authority to assure effective and consistent 
implementation of these reforms, and to avoid repeating past probknas, its guidance must 
be clear and compelling. A stronger EAC does not mean that the states will lose power in : 
conducting elections. To the contrary, the authority of state cleaion officials will grow with 
the creation of statewide vorer databases, and their credibility will be enhanced by the new 
nonparrisan structure and pmfesskmaiism. 

CONFLICT-OF'IKTEREST RULES. No matter what institutions are responsible for conducting 
elections, oanflicc-of-intcrest standards should be introduced for aSi federal, stare, and local 
cleaion officials, including some of the provisions in Colorado’s new election law and of 
the Code of Condua prepared by the International Irmiture for Democracy and Eleaoral 
Assistance (IDEA)." TTiis Code of Condua requires elecrion administrators to avoid any 
aaivirr, public or privare, that might indicate support or even sympathy for a particular 
candidate, politkal party, or political tendency. 


|M|| Report of Ow Commisskm on FeeJer^ Election Reform 




231 


Eleaion offidals should be prohibitoi federd and/or state laws from serving on any 
political campaign commicKe, makii^ any public comments in support of a candidate, 
taking a public position on any lallot meaaite, solidting campaign funds, or otfierwlse 
campai^ing for or against a Candidas for public office. A decision by a secretary of state 
to serve as co<hair of his or her pattys presidential election committee would dearly violate 
these standards. 


Recommendations on Institutions 

6.1.1 To undertake the new f^orisibilitte \t«:pmmended by this report and to build 
confidence in the administration of el^lons/ Cdtlgress and the states should 
reconstitute election management mstftuticms on a nonpartisan basis to make them 
more independent and effective.: U.S.: Election A^istahce Commission members and 
each state's chief elections offiMf ^buld be selected and be expected to act In a 
nonpartisan manner, and the ifistitutipris should have sufficient funding for research 
and training and to conduct the best elections possible. We believe the time has come 
to take politics as much as possible oirt; of the institutions of election administration- 
and to make these institutions nonpartisan^ 

6.1.2 , Congress should approve legislation that would add a fifth member to bie U.S. Election 
Assistance Commission, who would serve as the EAC's chairperson and who would be 
nominated by the President based on capability, integrity, and nonpartisanship. This would 
permit the EAC to be viewed more as nonpartisan than bipartisan and would Improve its 
ability to make decisions. That person would be subject to Senate confirmation'and would 
serve a single term of ten years. Each subsequent vacancy to the EAC shoutd be filled 
with a person judged to be nonpartisan so that after a suit^ie period, al| the members, . 
and thus the institutiwi, might be viewed as above politics. 

6.13 Stat« should prohibit senior etection officials from serving or assisting poilticai. I; 
campaigns in a partisan way, other than their own campaigns in stafos where they ' ^ 
are elected. ■ . ■ ' 

6.1.4 - States should take additional actions to build confidence ihthe.admlhistratioh Of ^ o 
elections by making existing election bodies as nonpartisan as possible Within the ; 
constraints of each state's constitution. Among the ways this might be accomplished 
would be if the- individuals who serve as the state's chief elections officer were chosen..;, 
based on their capability, integrity, and nonpartisanship. The. state legislatures . Would ,..v^ 
need to confirm these individuals by a two-thirds majority of one Or both houses: The 
nominee should receive clear bipartisan support. 

6.1J Each state's chief elections officer: shbiiid^ to the extent reasonably possible, ensure 
uniformity of voting procedure throughout the state, as wiUi provisional ballots. Doing 
, so will reduce the likelihood that elections are challenged in court. 


SuiWing Corifidence in U.S. ElecSions 





6.2 PDLL WORKER RECRUITMENT 


Fo!’ generations, civic-minded drills, pjudcul^yscnioK, have served as poll w-orkers. The 
average age of jx>i! workers is 72.*^ Poll wx)Ekers genendlv are paid minimum wages fora 15- 
hour day. Not surprising, rKTuitment has proven more and more difficult. For the 2004 
election, the United Srat« ne«{ed 2 milUon poll workets, but it fell short by 500,000. 

Effective administration of cl«aions requires that poll workers have the capability and 
training needed to carty out complet procedures coneedy the ddUs to handle increasingly 
sophisticated voting technolo^, the personalia and skUis to interact with a diversity of 
people in a calm and friendly manner, and the energy to complete a very long a nd hard day 
of work on El«:rion Day. Ball woricers must administer complex 
voting fHocedures, which arc ol^ changed with each election. 
These promiures indude issuing provisional ballots, checking 
voter identiiication in accordance with state law, and correctly 
counting die votes after die poilir^ station closes. Poll workers 
must also set up vodng machines, tnsemet voters to use these 
machines, and provide helpfol service to voters, including to voters 
with disabOities and non-&i^sh speakers. 

A broad pool of porcntia! recruits, drawn from all age gioups, is 
n«ded to meet the demands made on today’s poll workers. To 
adequately staff polling statioas, states and local jurisdictions must 
offer better pay, training and recognition for poll workers and 
recruit more cidrens who have fiiii-time jobs or are students. 
Recruitment of teachers would serve to ^rcad knowledge of the 
electoral process, while recruitment of students would educate 
future voters and attract incEviduals who may serve as poll workers 
for decades to come. 

local election authorities shoiJd also cottsider providing inoenrives for more rigorous 
training. Guilford County, North Carolina, for example, initiated a “Precinct Officials 
C-errification” program in cooperation with the local community college. The program 
requires iS liours of class and a fin,il exam. While voluntary; mote than 80 percent of 
Guilford County’s 636 permanent precinct officials completed the course. Certified 
officials receive an additional $35 per cleaion in pay. Retention of officials has risen from 
roughly 75 perc-ent to ne^ 95 percent. 

In addition, poll workers deserve greater recognition for their public service. States 
establish a Pol! Worker Appreciation Week and issue certificates to thank poll workers for 
their contribution to the democratic process. 

Several states have passed laws to provide paid leave for stare and local gsvernment workers 
who serve as poll workers on Eleaion Day. A pilot program tided “Makit^ Voting Popular” 
was implcmenrcd in 1998 in six counties surrounding the Kansas City metropolitan area 
to encourage empk^ers to provide a paid “chic leave” day for employees who work as poll 
workers. Many states have introduced laws to enajtin^ the recruitment of student poll 
workers. Partnered with experienced poll workers, student poll workers can learn aixiut 
elections while contributing their technolc^cal ^11$. 



233 


It will be easier to recruit sidUed poll woricers if diey are given flexibility in the terms of their 
sers'ice by working pan of the day. Since a lai^ proportion of voters arrive eitlier at the 
beginning or the end of die day, it wtHild make sense to hire more poll workers for those 
periods, although this is not ncfw the case. Brining poll workere in from other jurisdictions 
might also serve to pro^de parrisan bakn<£ in jurisdictions where one party is dominant. 
f-lc.\ibiitty in the teims of service poU workers is rdren restriaed by state laws. Where this 
is the case, states should amend their laws to allow parr-day shifts for poll workers on 
Eleaion Day and to permit state residents to polling statioas in a different jurisdiction. 

In addition, states mi^t consider a new practice of rarruiiing poll workers in the same way 
that citizcas are selected for jury duty. This juactice is used in Mexico, where citizens are 
selected nindomly to perform vdiat drey omsider a civic obli^tion. About five times as 
many poll workers as needed are oained in Mexico, so that only the most skilled and 
committed ate seleared to xrve as poll workere on Election Day. The process of training .so 
many citizens serves the addirional purpose of «iucating the public in voting procedures. 
This practice both reflects and contributes to a broad civic commitment to democracy. 


Recommendations on Poll Worker Recruitment 

6.2.1 States and local jurisdictions should allocate sufficient funds to pay poll workers at a 
level that would attract more technologically sophisticated and competent workers. 
Part-time vwrrkers should also be recruited for the beginning and the end of Election 
Day. States ^ouid amend their laws to allow shifts for part of the day for poll workers 
on Election Day. 

6.2.2 States and local jurisdictions should implement supplemental training and recognition 
programs for poll workers. 

6.23 To increase the number and quality of poll workers^ the government and nonprofit and 
private employers should encourage their workers to serve as poll workers on Election . 
Day without any toss of compensation, vacation time or personal time off. Special ; 
efforts should be made to enlist teachers and students as poll workers. . 

6.2.4 Bkause sonie jurisdictions have large majorities of one party, which makes it hard to 
attract poll workers from other parties, local jurisdictions should allow poll workers 
from outside the jurisdiction. 

6.2.5 ' States should consider' legislation to allow the recruitment of citizens as poll workers 
• as is done for jury duty. 


Building Confidence in U.S. Electkxis 




234 



6.3 POLLING STATION OPERATIONS 


A visible problenv on Election Day 2004 was long lines. This should have been anticipaKd 
btxause there was a surge in new r^strations and people expeewd a close election, 
particularly in “baede^und stares.” Soil, too mjmy polling stations were unprepared. 
Wltile waiting until 4 a.m. to vote was an extreme case, too many polling stations 
experienced long lines at the beginning ofihe day when people went toworit orattheday’s 
end when thi^ retuniei. ftst-fixxl chains hire extra workers at lunchtime, but it apparently 
did not occur to election officials to hire more workers at the dmes when most people vote. 
Long lines were hardly the only problem; many polling stations had slioitagcs of provisional 
ballots, machines itudfohcrioncd, and there were too many inadequately trained workers orj 
duty. Although mtwt states bm campaigning within a certain disunce of a polling station, 
other states or counties p«mit it, though many voters find it distasteful if not intimidaring. 

Problems with polling station operations, such as long lines, were more pronounced iti 
some places than in others.*' This at times gave rise to suspicions that the problems were 
due to discrimination or to partisan manipulation, when in fact the likely cau.se was a poor 
decision byelcaion administraiots. The U.S. Department of Justices investigation into the 
ailocatioti of voting machines in Ohio, fbr example, foimd Aat problems were due to 
administrative mistalcuktions, not to discrimination.** 

'I'hc 2004 elections highli^ted the importance of providing enough vocitig machines to 
each polling place. While voter turnout can be difficult to predict, the ratio of voters per 
macltitre can be esritnaied. Texas, for examf^e> has issued an administrative rule to estimate 
the number of machines needed pet ptednet at different rates of voter turnout,*’ 

The impression many votCTs ^ of die elKtoral process is partially shaped by their 


Report cf the Commission on Federal Election Reftvm 

■ 



235 


experience at the polOng ^don, and yet, not enougii attention has been given to trying to 
make them “user-friendly.” Elcmaitary tjjcstions, which most businesses study to become 
more efficient and res^xinsive to their oistomers, are rarely asked, iet alone answered by 
election officials. Questions Ulre: hfaw lot^ db« it normally cake for a citizen to vote? 
Would citizens prefer to gp re a ndghboihood prsdnee, or re a laiger, more service-oriented 
but more distant “voting coiter”? How many and tvhiu kinds of complaints and problems 
do polling stations hear in an avoage d^ How do dtey respond, and are voters ratisficd 
with the response? How nmy cttiz«is find el«tromc machines usefid, and how many find 
them formidable? By answering these fiindamencai questions, we might determine ways to 
provide efficient and courteous servia at polling locations 

A simple way to compile useful infonnation about pr<d)!ems voters face on Election Day 
would be to require thiU every TOtmg sntion maintain a “log book” on Eleaion Day to 
record ail complaints from votcis or tfosetveis. The log book would be signed by election 
observers at the end of the day re make sure that it has recorded all the complaints or 
problems. An analysis of the books would help idendly common problems and help 
design more efficient and responsive polling sites. 


Recommendations on Polling Station Operations 

6JI.1 Polling stations should be made o^fyfriehdly. One way to "do so would be to forbid any. 
campaigning within a certain distance of a polling station. . 

6JJ: Polling stations should be required to-maintain a "log-book" oh Election Day to 

record ai! complamts.The books should be sighed by election officials and observers : 
and analyzed for ways to irnprove the votifjg process. 

6.3J . .P’oliing stations should be organized in a way that citizerts would. not have", td,,\yalt.;ion 9 ^ 
before voting, and officials should be informed and helpful. 


6.4 RESEARCH ON ELECTION MANAGEMENT 

Despite the wealth of expertise Mid literature on U.S. eleaions and voting behavior, litde 
rcs«rch focuses on the administration or conduct of elections. Until the 2000 election 
stirred interest in the subject, we had no information on how often votes went 
uncounted. Today, we still do not know how many people are unable to vote because 
their name b missing from the r^istration list or their identification was rejected at the 
polb. We abo have no idea about the level of fraud or the accuracy and completeness of 
voter r^istration Ibts. 

To cffiKtively address die challenges feeing our elecdon ^cems, we need to understand 
better how eleaions are adminbteted. The log books and public reports on invesiigadons 
on election fraud, described above, can provide some good raw material. But we need more 
systematic research to expand knowledge and sdmulare needed improvements in U.S. 
election systems. Moreover, beyond the reforms needed reday, U.S. eleaion systems will 
need to adapt in the future to new tcchnolc^ and to soci^ changes. 


Building Confidence in U.S. Electiems 





236 



The Cenrcr fiir Qeirtion Systcire at l&nncsaw State University in 
Geoi^ is the first university ccnw established to study election 
sysieiBS and kj assist adminmtation. With firnding from 

tlK si^ gdv^mcnt, diis Cenrer dcvebps standards for voting 
iechnoI<%y us«i in Georgia and provides an array of other services, 
such as teting all decdoo o^uipment, providing training, building 
databases, and desi^it^ Idiots for m^y counties. The Center 
thus provides critical servias to state election authorities and 
su{^>orts constant improranents in election iystems. Since election 
laws mid procedures vary si^iificantiy, each state should consider 
suf^rting univeraQf cenars for the study of elections. 

In addition to lesemch on Kdmol{^^ universit)' eleaion centers 
could assist state governments on issues of election law, 
management, and civic and W3ter education. They could assemble 
expens fiom different disciplines to assist state governments in 
reviewing eleaion laws, improving administrative procedures, 
strengthening eleaion management, and developing programs and 
matoials to train poll wotkeis. 

Comparative resemch is also needed on electoral systems in 
different stat«, and national studies should be cotiduaed on 


different elemenis of election administration and causes of voter participation. These 
studies might address such questions as: What fecrors srimubte or depress participation in 
elections? How do votm adapt to the introduction of new voting technologies? And what 
are the costs of ojnduaing deciions? Research on these and a host of other questions is 
needed at the national, state, and local levels, with findings shared and efforts coorditiated. 
Moreover, federal, state, and private foundation funds are needed ro generate the research , 
our eleaion systems require to effectively inform decision-making, to monitor and advance 
best praaiccs, and to measure implementation and enforcement.*' 


Recommendation on Research on Election Management 

■ The Cd^fhi^ibn: cal^ research on voting technology arid 

. foariagenfeht ^Tb.dhcourage.c^ improvements in th€:,e|ect6raj, p.iwess.; 




Report of the Commisshjn on ftder^ Electiw Refonn 






237 


6.5 COST OF ELECTIONS 

Based on the limited in&Hmadon, the cost of elections appears to vary significantly 

by state. 'Otyoming, for exampfo, ^>ait $2.15 per vorer for the 2004 elections, while 
California spent $3.99 per voter.** loformation on the cost of elections is difficult to obtain, 
because both state and local auffiorides are involved in running eleaions, and local 
authorities often negject to tra^ what d»ey spend on elections. At the county level, 
eleaions typically arc run by the amnty deik and recorder, who rarely keeps track of the 
staff time and office resources allocated » elections as opposed to other office 
responsibilities. 

Elcaion administration expenditures in Ac United States are on Ae low end of the range 
of what advanced demoervaes spend on clecrions. Among advance democracies, 
expenditures on elcaion adminiatadon range from lows of $2.62 in Ae United Kin^om 
and $3-07 in France for nadonal legisladve elections, through a midrange of $4.08 in Spain 
and $5.68 in Italy, to a hi^ of $9.30 m Australia and $9.51 in Canada.™ While larger 
expenAturcs provide no guarantee of greater quality m election administradon, Aey tend 
to reflect Ac priority given to elecrion administration. The election systems of Australia and 
Canada are the most expoisive but are also considered among Ae most effective and 
modern election systenvs in Ae world. Both local and state governments should track and 
report Ae ctKt of elections per registered voter. This data would be very important in 
offering comparisons on alternauve and convenience voting. 


Recommendations on Cost of Elections 

6.5.1 As elections are a bedrock of our nation's democracy, they should receive high priority 
in the allocation of government resources at all levels. Local jurisdictions, states, and 
the Congress should treat elections as a high priority in their budgets. , 

6.5.2 Both local and state governments should track and report the cost of elections per : 
registered voter. 


Building Confidence In U.S. Seefions 




238 





239 


7. Responsible Media Coverage 

The media’s role in elections is of peat consequence. Effective media coverage contributes 
substantially to the eleaorai pnxxss hy informing dozens about the choices they face in the 
elections and about the election restdts. In contrast, irresponsible media coverage weakens 
the quality of election canqTaigtts and the |Mfotlcs conffdence in the electoral process. 


7.1 MEDIA ACCESS FOR CANDIDATES 

More than $1.6 billion was spent on Mansion ads in 2004 by candidates, parties, and 
independent groups.^ This was a leoud for any campaign year and double the amount 
spent in the 2000 presidential election. 

The pressure to rabe money to pay for TV ads has tilted the competitive playing field in fevor 
of well-financed candidates and has created a barrier to entry in politics. Moreover, TV ads 
tend to reduce political discourse U) its least attractive dements — campaign spots are ofren 
superficial and negative. This has a significant impact on the quality of campaigns, as 
television is the primary source of campaign information for about half of all Americans.'^ 

Broadcasters receive free licenses to operate on our publidy owned airwaves in exchange for 
a pledge to serve the public interest. At the heart of this public interest obligation is the need 
to inform the public about the critical issues that will be decided in elections. 

In 1998, a White House advisory panel recommended that broadcasters voluntarily air at 
least five minutes of candidate discourse every night in the month preceding elections. The 
goal of this “5/30 standard” was to give tele\ision viewers a dunce to sec candidates in 
nightly forums that are more substantive than the politica! ads that flood the airwaves in 
die final weeks of election campaigns. National networks were encouraged to broadcast a 
nightly mix of interviews, mini-debates, and issue statements by presidential candidates, 
and local stations were asked to do the same for candidates in federal, state, and local races. 
Complete editorial control over the forums for candidate discourse was, of coune, left to 
the national networks and local stations, which would decide what campaigns to cover, 
what formats to use, and when to broadcast the forums. 

In 2000, about 103 television stations pledged to provide at least five minutes of campaign 
coverage every night in the final month of the election campaign, yet they often fell shore 
of the 5/30 standard. Local news broadcasts of these 5/30 stations provided coverage, on 
average, of only two minutes and 17 seconds per ni^t of candidate discourse/’ On the 
thousand-plus stations that did not plet^e to meet the 5/30 standard, coverage of candidate 
discourse was minimd. 

During the 2004 campaign, substantive coverage of candidate discourse was still modesc’* 

• Little attention was ^ven to state and local campaigns. About 92 percent 
of the elcaion oivcragc by the national television networks vras devoted co 
the presidential race. Less than 2 percent was devoted to U.S. House or 
U.S. Senate races. 

• The presidential campaign also domituted foc^ news coverage, but the 
news focuses on die horse race between candkktra rather than on important 


Building Confidence in U.S. Electiwis 



240 


issues fecir^ Americans. "'KTiile 55 percent of Io<al news broadcasts 
contained a story about the presidential election, oidy 8 percent had one 
about a local race. About 44 perc^t of die campai^ cos^n^ fircused on 
cimpaign strate^, while less chan onc-ihird addressed the ismes. 

• I. txrai campaign cov«age was dwarfed by other nevra. Eight times more local 
broadcast covaa^ went K> stories about accidental injuries, and 12 times 
more corers^ w«tt to sports and wether dian to aU loctd races combined. 

• Only 24 jiCTcent of the local TV' industry pied^ to meet the '^5/30'’ 
standard. 

Notwithstanding the dramatic expansion of news available on cable television, broadcasters 
cats and should do more to improve their cowra^ of campaign issues. Some propose to 
require broadcasters ro provide free air time to candidates, but others are concerned that it 
might lead toward public financing of campaigns or violate the First Amendmetit. 


Recommendations on Media Access for Candidates 

7.1.1 The Commission encourages national nebA/orks and local TV stations to provide at least 
five minutes of candidate discourse every night in the month leading up to elections. 

7.1.2 The Commission encourages broadcasters to continue to offer candidates short segments 
of air time to make issue statements, ansvver questions, or engage in mini-debates. 

7.13 Many members of the Commission support the idea that iegisiation should be passed 
to require broadcasters to give a reasonable amount of free air time to political 
candidates, along the lines of the provisions of the Our Democracy, Our Airwaves Act 
of 2003 (which was introduced as in the 108th Congress). 


7.2 MEDIA PROJECTIONS OF ELECTION RESULTS 

For decadts, early pmicctiotis of prcsidcnciaJ election results have dimini,shed parciciparioii 
in the electoral process. IVojeaions of Lyndon Johnsons victory in 1964 came well before 
the polls closai in the West, The same occurred in 1972 and in 1980. In all of these cases, 
candidates forthcr down the ballot felt the effect. In 1 980, the estimated voter turnout was 
about. 12 percent lower among those who had heard the projeaions and not yet voted as 
compared with those who had not heard the ptojections.” 

On Election Niglir in 2000, the major television news organizations — ABC, CBS, NBC, 
CNN, and Fox — made a series of dramatic joumaliscic mistake.s. While polls were still 
open in Florida’s piinhandle, they projeaed diat V^ce President Gore had won the state. 
They later reversed their projeaion and predicted that Governor Rush wxiuld win Florida 
and, with it. the presidency. Core moved to concale the election, beginning with a call to 
Bush. Gore later withdrew his concession, and die news organizations had to retract their 
projccrion of Bush's victory. The first set of mistakes may have influenced vxitcrs in Rorida. 
and in other states where the polls were sail open. Tile second sec of mistakes irretrievably 
influenced public perceptionsofdieapfarent viceirin thcelection, which then aftecced the 
subsequent controversy over die outcome in Florida. 


of tiiG Commission on Federal Etectaxr Reform 






241 


Having made these ntistalKs in 2{M}0, mott ^;visk»n news organizations were cautious 
about projecting presidential decdon lesule in 2004. TTiis caution is worth repeating in 
future eieaions and should become a modard media practice. 

The Carter-Ford Commission was higbfy critical of the practice of declaring a projeaed 
winner in a presidential decrion befiMC aU polls close in the contiguous 48 states of the 
United States. In the Commisskm’s view, thb pracrice discourages voters by sig^ialing that 
the election is over even before sottic people vok. 

Voluntary restraint by major mecUa organizations is a realistic option. National news 
networks in the last several presidoirial decrions have voluntarily reftained from calling the 
projeaed presidential wnner in the Eastern Standard Time zone until after 7:00 p.m. 
(EST). In addition, as a result of the mistakes th^ made in 2000, the networks have now 
agreed to refrain from calling the projected presidendal winner in states with two time 
zones until all of the polls Mstws the state have dosed. 

Media organizations should exercise similar restraint tn their release of exit poll data. The 
Carter-Ford Commission noted the mounting body cd* evidence that documents the 
unreliability of exit polls. In 2000, exit polb confliaed with the actual election results in 
mjuiy states — and in five q>ecific instances by as much as 7 percent to 16 percent. 
Network nev« oiganizarion offidals acknowledged that exit polls have become more fallible 
over the )^rs as more and more voters have refused to take part. In 2000, only dx)ut half 
of the voicn asked to participate in exit polb agreed to do so, and only 20 percent of 
shsentee and early w>ters agreed to parridpate in telephone “exit” poll interviews. That 
response rate b too low ro assure reliability in exit poib. 

Despite the effort made to improve exit polb for the 2004 presidential election, they were 
well off the mark and misled some Americans about the eieaions outcome. By now it 
should be abvmdantly dear that exit polb do not reliably predia eleaion results. While exit 
polb can serve a useful purpose afta Eleaion Day in providing data on the composition 
and preferences of the electorate, they lack credibility in projecting election results, and they 
reflea poorly on the news organizations that release them prematurely. Thb ougfit to give 
news organizations sufficient reason to abandon the practice of releasing exit poU data 
before eieaions have been dedded. 

Government cannot prohibit news oi^nizaiions from irresponsible political reporting, and 
efforts to legislate a delay in the announcement of projected dection results are prcfoiemaric. 
Voluntary restraint on the pan of news organizations offers the best recourse. By exercising 
voluntary restraint, news organizations will enhance their credibiliiy and better serve the 
American people by encouraging participation and public confidence in elections. 


Recommendations on Media Projections of Election Results 

7.2.1 News organizations should voluntarily refrain from projecting any presidential election 
results in any state until all of the polls have closed in the 48 contiguous states. 

7.2.2 News organizations should voluntarily agree to delay the release of any exit poll data 
until the election has been decided. 


Building Confkfeoce in U.S. Bectiais 




242 



consejok 

mmm 

OE»nwcMrt# 







243 


8. Election Observation 


In too many stares, election laws and practices do not allow independent observers to be 
present during crucial pam of die proces, such as the resting of voting etjuipment or die 
transmission of results. In others, onty certified rcpresenrarives of candidates or political 
parties may observe. TTiis limi^ tran^iarency and public asnfidencc in the election process. 
Above all, elections t^e placre for the American people, rather than for candidates arid 
political parties. Interestoi citizens, including these not affiliated with any candidate or 
party, should be able to observe the entire election proems, although limits might be needed 
depending on the .size of the gtmp. 

Althoi^h the United Sta^ insists on full access by its election observers to the elections of 
other coiintri«, foreign observers are denied or granted only selective access to U.S. 
elections. Observers from the Organization for Security and Coo{>eration in Europe 
(OSCE), wlio were invited to the Unired Stares in 2004, were not granted acces,? to polling 
.stations in some stares, and in odier states, their access was limited to a few designated 
polling stations. Only one of our 50 states (Missouri) allows unfettered access to polling 
station-s by international observers. The Section laws of the other 49 states either lack any 
reference to international obrervers or fail to include international observ’crs in the scatucory 
categories of persons pernuited to enter polling places. 

To fulfill U.S. comraitmaits to die OSCE “Copenhagen Declaration” on International 
Snmdaids of Bieaions, accraiited tnremarional observers should be given unrestricted 
access to U.S. elections. Such accreditation shoidd be provided to rcjiutable organizations 
which have experience in election observation and which, operate in acco.rdanee with a 
.recogniz«i code of conduct. Tlie National Association of Secretaries of State has 
encouraged stare legislatures to make any necessary changes to stare law to allow for 
international observers.* 


Recommendation on Election Observation 

8.1.1 Ail legitimate domestic and internationai election observers should be granted . 

unrestricted access to the election process, provided that they accept election rules, do . .. 
not interfere with the electoral process, and respect the secrecy of the bailot. Such . . 
observers should apply for accreditation, which should allow them to visit any pdiiihg : 
station In any state and to view all parts of the election process, inctudirig the testing of 
voting equipment, the processing of absentee ballots, and the vote count. States that limit 
election observation only to representatives of candidates and political parties should . ■ 
amend their election laws to explicitly permit accreditation of independent and 
international election observers... 


BuiWing Confidence in U.S. Elections 

Hi 





244 





245 


9. Presidential Primary and 
Post-Election Schedules 

9.1 PRESIDENTIAL PRIMARY SCHEDULE 

The presidential primary system is oi^nized in a way that encourages candidates to 
start their campaigns too eaity, spend too much money, and allow as few as eight percent 
of the voters to choose the nominees. The Commission believes that the scheduling of 
the presidential primary needs to be changed to allow a wider and more deliberate 
national debate. 

In 2000, the presidential primaries were effective^ over by March 9, when John McCain 
ended his bid for the Repifoiican nomination and Bill Bradley left the race for the 
Democradc nomination. This was less than seven wedts after the Iowa caucu-s. In 2004, the 
presidential primary process was equally compressed. Less than 8 percent of the eligible 
clcaoratc in 2004 cast ballots before rite presidendd nomination process was effectively over. 

The presidential primary sch^ule has become incecasingjy front-loaded. While 8 states 
held presidential primaries by the end of March in 1984, 28 states held their primaries by 
March in 2004. The schedule continues to tighten, as six states have moved up the date of 
their presidential primary to February or early March while eight swtes have decided to 
cancel their presidential primary.'^ 

Because the races for the presidential nominations in recent elections have generally 
concluded by March, most Americans have no say in the selection of presidential nominees, 
and Intense media and public scrutiny of candidates is limited to about 10 weeks. 
Moreover, candidates must launch their presidential bids many months before the official 
campaign begins, so that they can raise the $25 to $50 million needed to compete. 

The presidential primary schedule therefore is in need of a comprehensive overhaul, A new 
system should aim to expand panidpation in the process of choosing the party nominees 
for president and to give voters the chance to closely evaluate the presidential candidates 
over a three* to four-month period. Improvements in the process of scleaing presidential 
nominees might also aim to provide opportunities for late envants to the presidential race 
and to shift some emphasis from Iowa and New Hampshire to states that more fully reflect 
the diversity of America. 

Most members of the Commission ac«pt that the first two states should remain Iowa and 
New Hampshire because they rest the candidates by ^nuine “retail,” door-to-door 
campaigning. A few other members of the Commission would replace those states with 
others that are more rq)Tesenrarive of Americas diversity, and would especially recommend 
a change from Iowa because it chooses the candidate by a public caucus rather than a secret 
bdlot, the prerequisite of a democratic election. 

While the presidential primary schedule is best left to the political parties to decide, efforts 
in recent years by political parties have failed to overhaul the presidential primary schedule. 
If political parties do not make these changes by 2008, Congress should legislate the change. 


Building Confidence in U.S. Elections 



246 


Recommendation on Presidential Primary Schedule 

9.1.1 We recommend that the Chairs and National Committres of the political parties and 
Congress make the presidential primary schedule more orderly and rational and allow 
more people to participate. We endorse the proposal of the National Association of 
Secretaries of State to create four regional primaries, after the Iowa caucus and the 
New Hampshire primary, held at one-month intervals from March to June. The regions 
would rotate their position on the calendar every four years. 


9.2 POST-ELECTION TIMELINE 

As the nation saw in 2000, a great ded of bitKmess can arise when the outcome of a close 
presidential election turns on the interpretation of andiiguous laws. Had the U.S. Supreme 
Court not resolved the principal controvCT^ in 2000, the dispute would have moved to 
Congress pursuant to Article II and the TwelHi Amendment. Unfortunately, the rele%^nt 
provisions of the Constitution are vague or ambiguous in important respects, and the 
implementing legislation adopted by Congress over a century ago is not a model of clarity 
and consistency. If Congress is called upon to resolve a dose election in the fumre, as could 
well happen, the uncertain meaning of these legd provisions is liirely to lead to a venomous 
panisan spectadc that may make the 2000 election look tame by comparison. 

After the debacle following the eieciitMi of 1876, Congress spent more than a decade 
ftshioning rules and procedures that It hoped would allow ftituce disputes co be settled by 
preexisting rules. Those rules and procedures have remained on the books essentially 
unchanged since that time. The core provision (3 U.S.C. § 5) invires die states to establish 
appropriate dispute-resolution mechanisms by promising that Confess will give condusive 
effect to die states’ own resolution of controversies if the mechanism was established before 
the elcaion and if the disputes are resolved at least six days before the electoral college 
meets. This "safe-harbor” provision appropriately seeks ro prevent Congress itself from 
having to resolve election disputes involving the presid^cy, and every .state should take 
steps to ensure chat its election statutes qualify the state for favorable treatment under the 
safe-harbor provision. 

Unfonunately, even if all the states take this step, disputes requiring Congress to ascenain 
the meaning of undear federal rules could still arise. Althou^ it may not be possible to 
eliminate all possible sources of dispute, significant steps could be taken to improve the 
clarity and consistency of the relevant body of federal rules, and Congress should undertake 
to do so before the next presidential elecdon. 


Recommendations on Post-Election Timeline 

9.2.1 Congress should clarify and modernize the rules and procedures applicable to carrying 
out its constitutional responsibilities in counting presidential electoral votes, and 
should specifically examine the deadlines. 

9.2.2 States should certify their presidential election results before the "safe harbor" date. 
Also, every state should take steps, including the enactment of new statutes if 
necessary, to ensure that its resolution of election disputes will be given conclusive 
effect by Congress under 3 U.S.C. § 5. 


Report of the Comimssion on FeOeral Etectiwi Reform 





247 


Conclusion 

Building confidence in U.S. cl«tions is centra! to our nations democracy. T'hc vigor of our 
democracy depends on an active and eng^ed dcizeniy' wdio believe that cheir votes matrer 
and are connrai accurately- The refonns needed to keep our electoral system lieakiiy arc an 
inexpensive investment in die stability and prc^css of our country'. 

As a nation^ we need to pursue the vision ofa society where most Americans see their votes 
;is both a tight and a pridl^c, where thw cast their votes in a way that leaves tlteni proud 
of chemseives as citizens and of democracy in the United States. Ours shoiiiti be a society 
where registering to vote is convenient, \oring is efficient 
and pleasant, voting machines work properly, fraud is 
minimized, and disputes are handled fairly and 
expcdiiiouily. 

This report represents a comprehensK'e proposal for 
accomplishing those gaals and modernizing our eieaoral 
system. We have sought to transcend partisan divides with 
recommendations that will both assure the integrity of the 
system and widen access. No doubt, there will be some 
who prefer some recommendations and odiera who prefer 
other propasals, but we hope that all wiU recognize, as we 
do, that the l>cst way to improve our elcctortd system is to 
accept the validity of both sets of concerns. 

I'hc five pillars of our prof>osal represenr an innovative 
,ind comprehensive approach. They break new ground in 
the following ways: 

First, we propose a universal, state-based, top-down, interactive, and interoperable 
registration list that will, if implemented successfully, eliminate the vast majority of 
complaints currently levcletl against the deaion .system. States will retain control over their 
ix^stration lists, but a di.siribuced darabasc offers a way to remove interstarc duplicates and 
maintain an up-to-date, fiiliy accurate registration list for the nation, 

.Second, wc pro},K>se that all states require a vdid photo ID card, which would be a sliglnly 
modified REAL ID or a photo ID that is based on an EAC-template (whicli is equivalent 
CO the REAL ID without the drivers license). However, instead of allowing the ID to be a 
new barrier to voting, wc propose using it to enfranchise new and more votei'S than ever 
befivre. The states would play a much more affirm.itivc role of reaching out to the 
underserved communities by providing them more offices, including mobile ones, to 
rcgi.«cr them and provide photo IDs free of chaige. In addition, we offer procedural and. 
iirsritutional .saf^uards to make sure diat the card Is not abused and that voters will not be 
disenfranchised because of the need for an ID. 

Third, we propose measures that will increase voting participation by connecting 
registration and the ID process, making witing more conveoienr, diminishing irregularities, 
and offering more information on voting. 



Buildiiia Corfidence in U-S. Electic 


248 


Fourth, we propose ways ro ^ve con&knce to voKis diat use the new electronic voting 
machines to ensure that their vote will lie lecorda! accurately and there will be an auditable 
backup on paper (with the understandii^ that alternative technologies may be available in 
the future). Our proposals also aim m make sure that people with disabilities have full 
access to voting and the opportunity to do so privattfy and independendy like other voters. 

Finally, we recommend a lestructuring of the system by which elections have been 
administered in our ccmntry. We prc^x>se that the Eleaion Assistance Gsmmission and 
state election management bodies be reconstituted on a nonpartisan basis to become more 
professional, independent, and efleettve. 

Election reform is neither easy nor ineaqienave. Nor can we succeed if we think of 
providing funds on a cme-time basis. We need to view the administration of elections as a 
continuing challenge for the entire government, and one that requires the highest priority 
of our citizens and our government. 

For more than two centuries, our a)unrry has taught the world about the significance of 
democracy, but more recently, we have evinced a reluctance ro learn from others. Typical of 
dlls gap is that we insist other countries open their elections ro international observers, but 
our states close their doors or set untiiir restrictions <m election observing. We recommend 
changing that provision and alro building on the innos^tions of the new democracies by 
establishing new election management bodies that arc independent, nonpartisan, and 
cffoctive with a set of procedures that would make American democracy, once again, the 
model for the world. 

The new electoral edifice that we recommend is built on the five pillars of reforms. 
Democrats, Republicans, and Independents may differ on which of these pillars are the 
most important, but we have come ro understand that all are needed to improve our 
eleaoral system. Indeed, we believe that the structure is greater than the sum of its pillars. 
Substantively, the system’s int^rity is strengthened by the increased access of its citizens, 
and voter confidence is raised by accuracy and security of new technology and enforcement 
of election laws. And the political support necessary to implement these reforms is more 
likely to materialize if all the pillars are viewed as pan of an entire approach. If adequately 
funded and implcmcnccd, this new approach will move America down the path of 
transforming the vision of a model democracy into reality. 


Report of the Commission on Federal Election Reform 



249 


APPENDIX 

Estimated Costs of Recommended 
Improvements 

The Commission’s recommendarions Me estimated to cost $1.35 billion to implement. 
This estimate is the sum of the cost rf making scare voter dat^ases interoperable and 
upgrading voting machines ro make them both accessible and transparent. 

The total cost for making voter databares interoperable is estimated at $287 million. This 
cost breaks down as follows: 

• The 1 1 states withmit top-down voter registration systems will need to 
spend a total of $74 million to build such ^sterns.™ 

• The system to share voter data among stares is estimated to cost $77 
million.’’ 

• The cost for all states m adopt the recommended template for shared voter 
data is estimated at $21 million. Since every state except Vermont requires 
a Social Security number to issue a driver’s license, sutes will need to collea 
Social Security numbers from only a small portion of the adult 
population.*® 

• Since all states currendy collect digital images of signatures when they issue 
driver’s licenses, there will be no significant cost for collecting signature 
images for voter registration. 

• For voter identification, sutes that use REAL ID for voting purposes will 
need additional funds only to provide a template form of ID to non- 
drivers. The template form of ID will be issued to an estimated 23 million 
U.S. citizen non-driven at a cost of $1 1 5 million.*' 

The total cost for upgrading voting machines, to make them both accessible and 
tiansparenc, is estimated at $1.06 billion. This is the amount needed. In addition to the 
HAVA Hinds already obligated, to replace remaining punch card and lever machines with 
direct recording electronic (DRE) systems or with optical scan systems with a computer- 
assisted marking device for blind and visually impaired voters, to retrofit DREs with a 
voter-verifiable paper audit trail, and to add a ballot marking device for blind voters to 
existing optical scan systems. The estimates arc based on current distributions of various 
voting machines and on current costs for DREs, voter-verifiable paper audit trails, and 
ballot-marldng devices for optical scan systems. 

The Commission recommends that Congress provide $1.35 billion in funding over a two- 
year period, so that voter daubases will be made inreropcrable and voting machine 
upgrades will be completed before the 2008 elecdons. 


Building Confidence in U.S. Elections 



250 


ENDNOTES 

' Adam N^ourney and Janet Elder, “Late Pcdl Still Shows Sharp %Iir in U.S. Vote,” 
International Herald Tribune, November 1, 2004; and Dan Fg^ n. “Justice Department 
Triples Election Monitors; More than 1,000 Head to Polls,” The Washington Post, Oaober 
29, 2004, p. A6. 

^ The Pew Research Center for the People and the Hess, “Mitets Liked Campaign 2004, But 
Too Much ‘Mud-Slin^ng’," Novanber 11, 2004, arailable at <http://peopie' 
press.org/rcports/display.php3?ReportID=233>. 

’ Milwaukee Police Department, Milwaukee County District Attorneys Office, Federal 
Bureau of Investigation, and United States Attorneys Office Task Force, Preliminary 
Finding of Joint Task Force InvesUgitingPosdble Election Fraud. May 10, 2005. Available at 
<http;//www.wispoUtics.com/1006/eleaionfraud.pd£». 

* “Dead voters on roUs,” Chicago liibune, Deconber 4, 2004. 

’ The following democracies constitute stmie of the nearly 100 countries that utilize a 
national ID system; Belgium, Cost Rica, Germany, India, Italy, the Netherlands, Portugal, 
South Africa, and Spain. See Hrvacy.oty;, “Identity Cards: FAQ,” August 24, 1996, available 
at <http://www.privacy.otg/pi/activiiks/idcard/idcard_l^.html> 

‘ Jason P Schaaer, “Geographical Mcd>ility: 2002 ro 2003." Current Population Reports. US 
Census Bureau (March 2C^). Available at; http://www.census.gov/prod/2004pubs/p20- 
549.pdf 

’ In addition to the 38 stales with top-down voter registration systems, 6 states arc developing 
bottom-up systems. 2 will use systems with both top-down and bottom-up elements, and 3 
have yet to finalize their plans. North Dakoa does not require voter r^istration. Sec 
EleCTionline.oig, Assorted Rolls: Statewide Voter Re^tration Databases Under HAVA, June 
2005, p. 3, available at <www.eleCTionline.o^Portals/l/Assortcd perccnt20Rolis.pdf>. 

' “Exposed; Scandal of double voters,” New Yodt Daify News, August 21, 2004 and “Double 
votes taint Florida, records show,” Orlando Sentinel, Octe^r 23, 2004. 

’ “Report: As many as 60,000 people file to vote in both Carolinas," Associated Press, 

October 24, 2004. 

“Exposed: Scandal of Double Voters,” New Yodt Daily News, August 21 , 2004. 

" The introduction of electronic transaction standards would also facilitate cross-state 

exchanges of voter data, see R, Michael Alvarez and Thad E. Hall, “The Next Big Election 
Challenge: Developing Elearonic Data Transaction Standards for Eleaion Administration,” 
Caltech/MIT Voting Technology Project, July 2005, pp. 19-21. 

“Overview of States Driver’s License Requirements”, National Immigration Law Center, 

July 12, 2005, avail^le at 

<www.nilc.org/immspbs/DLs/state_dLrqrmts_ovrvw_071205.pdl>. Alabama also collects 
Social Security numbers for driver’s licenses, according to Commission staff conversation 
with i^abama’s Motor Vehicle Divirion in August 2005. 

” Except for Vermont, all states require a Social Security Number (or a driver’s license, at least 
from people who were assigned a Social Security Number or are eligible for one. 


Report of the Commission on Federal Elecficm Reform 



251 


Voters should also have the opportunity H» check Aeir registration over the phone, via a 
toll-free number, or in peison at the elections office. 

Elcctionline.org, Solutim or PmbUm? Proviswml Baiiats in 2004, April 2005, p. 2, available 
at <hctp://electiononline.oig/Portals/l/IHJ)iia^ns/ERIP10Apr05.pdf>. 

Ibid, p.5. 

In states widi unified databases, provisional ballots constituted .85 percent of the total 
ballots cast whereas in the states without unified databases, provisional ballots constituted 
1 .76 percent of the total. Sec Electionline-oig, Solution or Problem! Provisional Ballots in 
2004, Washington, D.C., April 2005. 

Testimony before the Commission by Ken Smulder, President of Info Voter Tcchnolo^es, 
on June 30, 2005. 

Details were provided in Secrion 1.1. 

ID is required of all voters in 22 states and of all first-time voters in another two states, 
according to Electionline.org, <http://elcction!inc.org/Default.aspx?tabid=364>. 

Provided by Electionline.oig, <www.electionline.oig/Default.aspx?tabid=473>. 

A comparison of drivers license records and census data for W05 suggests that about 88 
percent of Americans aged 18 and over have a drivers license, see U.S. Department of 
Transportation, Fedwal Highway Administration, Licensed Total Drivers, By Age, 2003, 
Table DL'22, Oct. 2004, at <www.fhwa.dot.gov/policy/ofum/hs03/htm/di22.htm>, and 
U.S. Census Bureau, Annual Estimates of the Population by Selected Age Groups and Sex for 
the United States: April 1, 2000 to Jufy I, 2004, (June 2005), available at 
<www, census. gov/popesi/national/asrh/NC-EST2004-sa.html>. 

U.S. Government Accountability Office, Elections: Additional Data Could Help State and 
Local Elections Officials Maintain Accurate Voter Registration Lists, GAO'05-478, June 2005> 
pp. 13-29. 


U.S. Eleaton Assistance Commission, The Impact of the National Voter Registration Act, 
2003-2004, June 30, 2005, pp. 16 and 20. 

Data on voter registration in Alaska is contained in U.S. Election Assistance Commission, 
“The Impact of the National Voter Re^strarion Aa of 1 993 on the Administration of 
Elections for Federal Office: 2003-2004,“ Table 1: R^tration History. Other examples 
include 34 of the 82 counties in Mississippi and the City of East St. Louis, sec Emily W. 
Perms, “Secretary of state seeks proposals on statewide voter roll,” Associated Press, 
September I, 2004, and Mike Fit^erald, “Dual te^stration: a recipe for fraud?” Belleview 
News-Democrat, November 28, 2004. 

For example, see Australian National Audit Office, Integrity of the Electoral Roll, April 2002: 
<www.anao.gov.au/WebSitc.nsf/Publications/4A256AE900l5F69BCA256B9E007B5F52>. 
This audit estimated that Australia’s electoral rolls were 96 percent accurate, 95 percent 
complete, and 99 perant valid. 

The residual vote rates fell by 0.79 percent in counties where lever machines were replaced 
by direct recording dortronic (DRE) machines and by 1.46 percent in counties where 
punch cards were replaced by DREs, according to Charles Stewart, Residual V&fir in the 
2004 Election, Caltech/MIT Voting Technology Project Working Paper, February 2005, 
Table 2. 


Building Confidence in U.S. Elections 



252 


“ Election Data Services, 

<www.electiondatascrvices.comAfetingSuminary2004_20040805.pdf>. 

” Dan Keating, Tost Votes in N.M. a Caudonaiy Talc,” Washing^n Post, August 22, 2004, 
and “Nearly 40 votes may have been lost in Palm Beach Gjunty,” Associated Press, 
November 2, 2004. 

Electionline.oig, <htq)://www.electionline.oig/De6ulLaspx?tabid=290>. 

Ted Selker, “Processes Can Improve Electronic Votii^," CaltaJi/MIT Voting Technology 
Project. October 2004, available at 

<http://www.vote.caltech.edu/media/docuraents/vtp_wpl7-pdE>. 

” Manual audits of voting machines arc required in Colorado, Connaticut, Hawaii, Illinois, 
Minnesota, New Mexico, New \brk, North Carolina, Washington, and West Virginia, 
according to Verified Voting Rnindation, “Manual Audit Requirement,” August 18, 2005, 
available at <wviAv.vcrifiedvotmg.oig/down!oads/Manual_Audit_Provisions.pdf>. 

Ted Sclkcr and Jon Golcr, “Security Vulnaabiliries and Problems with WPT," 
Caltech/MIT Voting Technology Project, April 2004, available at 
<hctp://vote.caltech.cdu/media/documents/wps/vtp_wpl6.pdf>. 

^ “Voting Machine Fails Inspection,” CNETNem.com, July 23. 2003 and “New Security 
Woes for E-Vote Firm,” WiredNews.com, August 7, 2003- 

” In California’s field test, about one in ten machines malfunctioned, see “Voting Machines 
Touch and Go.” Associated Press, jufy 30, 2005. 

^ Internet Pblicy Institute, Report of the National Workshop on Internet Voting Issues and 
Research Agenda, March 2001. Available at 

<http://news.findlaw.eom/hdocs/docs/elcCTion2000/nsfe-voterpit.pdf>. 

Curtis Gans, “Making it Easier Doesn’t Work: No Excuse Absentee and Early Voting Hurt 
Voter Turnout," Center for the Study of the American Electorate, September 13, 2004, 
available at <http://www.american.edu/ia/cfer/research/csae_09132004, pdf >. 

“ Testimony before the Commission by Robert Stein, Dean of Social Sciences at Rice 
University, on June 30, 2005. 

Balancing Access and Integrity: The Report of the Century Foundation working Group on State 
Implementation of Election Refirm (N.Y. the Century ^undation Press, 2005), pp. 25-26. 

Cunis Gans, “Making it Easier Doesn’t Work: No Excuse Absentee and Early Voting Hurt 
Voter Turnout,” Center for the Study of the American Electorate, September 13, 2004, 
available a: <hnp://www.american.edu/ia/cfcr/rcscarch/csae_09132004.pdf >. 

*' Superior Coun of the State of Washington for Chelan County, Final Judgment Dismissing 
Election Contest with Prejudice and Confirming Certification of Election of Christine 
Gregoire, Court Decision No. 05-2-00027-3, June 6, 2005. 

“ United States General Accounting OfiiCT. “Elections: Issues Affecting Military and Overseas 
Absentee Voters,” May 2001, avad^lear. <hitp://www.gao.gov/newitenis/d01704t.pd£», p.l. 

National Defense Committee, Military and Overseas Absentee Voting in the 2004 Presidential 
Election, March 30, 2005, awiiiable at 

<www.nationaldefcnsccommittce.org/mcdia/pdf/NDCmavexecsumfinal-33005.pdf>. 


Report of the Commisewn on Federal Election Reform 



253 


David Jefferson, Aviel D. Rtdiin, Barbara Simons, and David Wagner, A Security Analysis of 
the Secure Electronic Registration andVotingE}q>eritneTU,]anuaxy 20, 2004, 
<wvvw.servesecurityrcport.org/>. 

Information provided to the Commis^on by the Federal Voting Assistance Program. 

Testimony before the Commisnon by James Didtson, Vice President at the American 
Association of People with DisabUities, on ^lil 18, 2005. 

Ibid. 

Ibid. 

Ibid. 

Alabama, Arizona, Delavrare, Maryland, Mississippi, Nebraska, Nevada, Tennessee, 
Washington, and Wyoming have a permanent ban on voting by certain categories of ex- 
felons, according to the Sentendng ftoject, <www.sentencingproject.org/pdfs/1046.pdf>. 

Census data provided by the Cenrer for Infomurion and Research on Civic Learning and 
Engagement (CIRCLE), available at 
<www.civicyouth.oig/PDpUps/ReleaseCPS04_Vbuth.pdf>. 

Karl T. Kurtz, Alan Rosenthal, and Qiff Zukin, Citizenship: A Challenge for All Generations, 
National Conference of State Legislatures, September 2003, availdjle at 
<www.ncsl.org/public/tn 1 st/citi 2 enship.pdf>. 

Campaign for die Civic Mission of Schoob and Alliance for Representative Democracy, 
“From Classroom to Citizen: American Aniiudes on Civic Educadon,” December 2004, 
available at <www.teprcscntadvcdemocracy.org/CivicEdSurveyReport.pdf>. 

U.S. Department of Jusrice press release, “Department of Justice to Hold Ballot Access and 
Voting Integrity Symposium,” August 2, 2005. 

U.S. Government Accountability Office, Electioru: AeUitional Data Could Help State and 
Local Elections Officials Maintain Accurate Voter Re^tration Lists, GAO-05-478, June 2005, 
pp. 59-60. 

Balancing Access and Integrity: The Report of the Century Inundation working Group on State 
Implementation of Election Reform (N.Y. the Century Foundation Press, 2005), pp. 67-69. 

John Fund, Stealing Elections: How Vbter Fraud Threatens Our Democracy (San Francisco: 
Encounter Books, 2004), p. 103. 

Joe Stinebaker, “Loophole lets foreigners illegally vote,” Houston Chronicle, January 16, 
2005, and Robert Redding, “Purging illegal aliens from voter rolls not easy: Maryland 
thwarted in tries so fer,” Washingon Times, August 23. 2(X)4. 

Susan Greene and Karen E. Crummy, “Vote Fraud Probed In State,” Denver Post, March 
24, 2005; Brendan Farrington, “Fla. Officials Asked To Probe Vote Fraud,” Associated Press, 
October 7, 2004; Dawson Bell, “Campaign Workers Susp«a:ed Of Fraud,” Detroit Free 
Press, September 23, 2004; “Man Pleads Guilty In Vjtet Registration Scam,” Associated 
Press, December 7, 2004; Rtdicn Patrick, “Jury Hnds Mon^mery Guilty In Vote Fraud 
Case,” St. Louis Post-Dispatch, February i 1, 2005; Nevada Secretary Of State. “Alleged Vote 
Fraud Investigations Ongoing,” Press Release, Oaober 28, 2004; Dan McKay, “Eleaion 
'Mischief Under Scrudny,” Albu/yuerque jourtud, Sq)tember 10, 2004; “Voter Registration 
Investigation One Of Largest In Recent Years,” Associated Press, September 23, 2004; Greg 


Suflding Confidence in U.S. Sections 



254 


J. Borowski, “Inquiry Finds Evidence Of Fraud In Elecdon,” Milwaukee Journal Sentinel, 
May 1 1 , 2005; U.S. Department of Justice, Giminal Dtvisioa, Public Integrity Section, 
Election Fraud Prosecutions and Convictions: Ballot Access & Voting Integrity Initiative, 

Oaober 2002 - July, 2005. 

“ A Rasmussen Reports poll just brfbic the Novtanbcr 2004 elections showed that 58 percent 
of American voters believed there was “a lot” or “some” fraud in U.S. elections, and in a 
post-eleaion NBC News/ Wall Street Journal poll, more than a quarter of Americans worried 
that the vote count for president in 2004 was unhiir, quoted in Ride Hasen, “Beyond the 
Mar^n of Litigation: Reforming Election Administration ro Avoid Electoral Meltdown,” 
Paper prepared for American PoJitical Science Association meeting, September 1, 2005, pp- 
7-8, available at 

<http://convention2.ai]academic.com/gcdile.php?file=apsa05_proceeding/2005-07' 
29/4l404/apsa05^roceeding_4l404.pdf8cPHPSESSIE)=c47830ael716d46l356f598599f 
aeal7 >. 

Ibid, p. 9. 

Ibid, p. 29. 

“ International IDEA, Code of Condua for the Ethical and Professional Administration of 
Elections. 1997, <www.idca.int/publications/conduct_admin/upioad/adm_engiish.pdf>. 

^ United States Election Assistance Commission, Background on the Help America V&fif College 
Poll Worker Program. <http;//wMrw.eac.gov/coll_pol!_bacl^round.a^>; Associated Press, 

“US short of poU workers” November 1 , 2004, Fox News. Available at: 
<http://www.foxnews.com/story/0,2933,l 37242, 00.hanl> 

“ The Voting Rights Institute, Democracy at Risk: the 2004 Election in Ohio (Washington, 
D.C.: Democratic National Committee, 2005). 

“ U.S, Department of Justice’s investigations in Franklin County and in Knox County, Ohio 
found no evidence that the allocation of voting machines was conducted in a discriminatory 
manner, see <www.usdoj.gov/crt/voting/inisc/fTanklin_oh.htm> and 
<www.usdoj.gov/crt/voting/misc/knox.htm>. In feet, the distribution of voting machines 
was determined by each county’s Board of Eleaions, and half the members of each Board of 
Elections are Democrats. 

Rule §81.125 ofTexas Administrative Code, available at 

<http://info.sos.state.oc.us/ pls/pid)/readtac$ext.Tacr‘age?sl=R&app=9&p_dir=&p_rIoc=&p_ 
doc»&p_ploc»&pg®l&p_tac®&ti=l&pt=4&ch=81&rl=125>. 

“ A strong example of funding for elections research is the $7.5 million awarded by the 
National Science Foundation on August 1 5, 2005 for a collaborative projea of six 
institutions to study the reliability, security, transparency, and auditability of voting systems. 

California Secretary of State Historical Close Of Re^tration Statistics: Presidential General 
Elections, May 2004, available at <www.ss.ca.gov/elecrions/ror/ieg_stats_10_18_04.pdf>: 
’CCyoming Secretary of State, DvJHe ofWyomings liters- Vner Registration and Vhter Turnout, 
Associated Press, 2004. Available at <soswy.state.wy.us/eleaion/profde.htm>. Election cost — 
S4 billion and climbing: most money went for ads, but other expenses not chicken feed. Available 
at <www.msnbc.msn.com/id/6388580/>. 


Report of the Commission on Feder^ Election Reform 



255 


IFES, Cost of Registration and Redons (CORE) for election costs in Australia and Spain; 
Elections Canada, <www.dcciaons.ca/>; Electionguide.oi^ 

<www.electionguidc.oi^rcsultsum/caiiada_par04.htm>; UK Electoral Commission, 2002, 
Funding Democracy: Providing Cost-Effictive Electoral Services, available at 
<www.eleaoralcommi5sion.org.uk/files/dins/fonding_csltppr_6642- 

6213 E__N__S__W__.pdf>; Qecdonguide.o^ EPIC Projea, available at 

<epicproject.oig/ace/compepic/en/getAnswer$AlX+EM10>. 

Alliance for Bencr Campai^s, 

<www.bettcrcampaigns.org/standard/di^lay.php?SK)ryID=322>. 

Fox New/Opinion Dynamics poll, March 25, 2004, 

<www.fbxnews.com/siory/0,2933,l 1 5208,00.htinl>. 

Analysis by the Norman Tear Center at the Annenbctg School for Communication of the 
University of Southern California, 

<www.bettercampaigns.oig/siandaTd/display.php?StoryID=328>. 

Alliance for Better Campaigns, 

<www.bettercampaigns.org/standard/dispIay.phf^Story{D=326>, and Lear Center, “Local 
News Coverage of the 2004 Campaigns.” 

National Commission on F^eral Hection Reform, To Assure Pride and Confidence in the 
Electoral Process, August 2001 , p. 63. 

National Association of Secretaries of State, “Internadonal Election Protocol Resolution." 
and supporting language, July 24, 2005, available at 
<www.nass.org/International Eleaion Protocol Rcsolurion.pdI> and 
<www.nass.org/International Eleaions Protocol Language.pdf>. 

Six states passed measures to move forward the date of their presidential primaries and eight 
states pas^ measures to cancel their presidential primary for 2004, see 
<www.ncsl.org/programs/l^man/dcct/(askfc/Changing-EliminatingPP.htm>. 

Estimate is based on the average amounts other states are currendy spending to build top- 
down voter registration systems and excludes HAVA fonds that have already been disbursed 
for this purpose see Eleaiononlinc.org, Assorted Rolls: Statewide Voter RegisP’ation Databases 
Under HAVA, <hnp://dcaionline.or^Portals/l/Assorted Rolls.pdf>. 

Figure indudes both the cost to upgrade existing state databases to make them interoperable 
in real time and the cost to build a voter r^siraiion distributed database linked to the 
individual state servers. The former ($48 million) is based on the average cost to make 
existing state driver’s license databases interoperable with each other as determined by the 
Congressional Budget Office, see “H.R. 418: REAL ID Aa of 2005,” Congressional 
Budget Office, <htcp;//www.cbo.gov/$howdoc.cfm?index=6072&sequence=0>. The latter 
($29 million) is based on the madtet cost to purchase, secure, maintain, and link to the 
states through leased lines a central database that bendimarks 57,346 transactions per 
minute. 


ButlOing Confidence in U.S. Electrons 



256 


The cost to collect Social Security numbm is tantMiount to registering voters. The Office 
of the Chief Electoral Officer of Canada calculates the ojst to r^tcring 19.6 million voters 
in the 1997 national elections at approxima^ty $18 million. This produces a statistic of 
$0.92 to register each person, see VoW Turnout, decrionguide.org, 
<http://www.electiong;uide.org/turnoul.htni> and VoUngjbr Democracy: Notes on the 
Canadian Experience, Office of the QikfElectoral Officer of Canada, March 1998, 
<hrtp://www.aceproject.org/main/samples/vt/vrx_w005.pdf>. For data on the distribution 
of driver’s licenses, see “Highway Statistics 2003,” U.S. Department ofTransportation, 
<http://www.ffiwa.dot.gov/policy/ohim/hrf)3/htni/dl22.htm>. 

The cost per card is estimated at $5. This 6gure includes approximate administrative, 
infrastructure, and issuance costs, see Stephen Moore, “Congressional testimony before the 
U.S. House of Representatives Subcommittee on Immigration and Claims, Judiciary 
Committee,” May 13, 1997, available at <http://www.cato.org/testimony/a- 
sm051397.html> and “The debate over a narional identiricarion card,” The Century 
Foundation, Homeland Security Project, atnilaUe at 

<http://www.tcf.oig/Publications/HomdandSecurity/Narional_lD_Card.pdf>. 

The estimated costs for the various votii^ machines are as follows: Direa Recording 
Elearonic with a Voter- Verified Paper Audit Trail (DRE/WPAT) — $4,000; rarofitting a 
DRE machine with a WPAT — $1,000; t^tical scanner (OS) — $5,000; and ballot marking 
device for an optical scan system — $4,500. Machine cost data is colleaed from many 
sources, including Verifiedvoring.oig, “Appendix 4: Cost Comparison of Alternative 
Solutions,” <http://www.verifiedvoring.org/downloads/CT SOTSlappendix_43.pdf>; Caleb 
Kleppner, State of the Industry: CompatibiUty of Voting Equipment with Ranked Ballots, 

Center for Voting and Democracy, 2001 , 

<hrtp://www.fairvote.org/administration/industry.rTfi>; Bo Lipari, “Analysis of Acquisition 
Costs of DRE and Prccina Based Optical Scan Voting Equipment for New York State,” 
New Yotlars for Verified Voting, 2005, 

<http://www.nyvv.org/doc/AcquisitionCostDREvOptScanNYS.pdf>. 

For details on the distribution of machine technology, see Election Data 
Services, Voting Equipment Summary by Type, 2004, 

<http://www.decriondatasefvices.eom/VotingSummary2004_20040805.pdf>. 


Report of the Commtssion on federal Elector Reform 



11 M HI lihM«H K \( \: 

It n\i< Ul)RlI» 




258 


THE MACHINERY OF DEMOCRACY: 
PROTECTING ELECTIONS 
IN AN ELECTRONIC WORLD 


THE BRENNAN CENTER TASK FORCE 
ON VOTING SYSTEM SECURITY 
LAWRENCE NORDEN, CHAIR 


VOTING RIGHTS 
& ELECTIONS SERIES 

BRENNAN CENTER 
FOR JUSTICE 

AT NYU SCHOOL OF LAW 
www.brennancenter.org 



259 


e 2006. This paper Is covered 
by the Creative Commons 
"Attribution-No Derivs- 
NonCommercial" license 
(see http://creativecommons.org). 
it may be reproduced in its entirety 
as long as the Brennan Center 
for Justice at NYU School of Law 
is credited, a link to the Center's 
web page is provided, and 
no charge is imposed. 

The paper may not be reproduced 
in part or in altered form, 
or if a fee is charged, 
without the Center's permission. 
Please let the Center know 
if you reprint. 


ABOUT THE TASK FORCE 

In 2(X)5, the Brennan Center convened a Task Force of internationally renowned 
government, academic, and private-sector scientists, voting machine experts and 
security professionals to conduct the nation's first systematic analysis of security 
vulnerabilities in the three most commonly purchased electronic voting systems. 
The Task Force spent more than a year conducting its analysis and drafting this 
report. During this time, the methodology, analysis, and text were extensively 
peer reviewed by the National Institute of Standards and Technology (“NIST”). 
The members of the Task Earce are: 

Chair 

I.awrence D. Norden, Brennan Center for Justice 

Principal Inves^gator 

Eric L. Lazarus, DecisionSmith. 

Experts 

Georgette Asherman, independent statistical consultant, 
founder of Direct Effects 

Professor Matt Bishop, University of California at Davis 

Lillie Coney, Electronic Privacy Information Center 

Professor David Dill, Stanford University 

Jeremy Epstein, PhD, Cyber Defense Agency LLC 

Harri Hursti, independent consultant, former CEO of F-Secure PLC 

Dr. David Jefferson, Lawrence Livermore National Laboratory and 
Chair of the California Secretary of State’s Voting Systems 
Technology Assessment and Advisory Board 

Professor Douglas W. Jones, University of Iowa 
John Kelsey, PhD, NIST 
Rene Peralta, PhD, NIST 
Professor Ronald Rivest, MIT 

Howard A. Schmidt, Former Chief Security Officer, Microsoft and eBay 
Dr. Bruce Schneier, Counterpane Internet Security 

Joshua Tauber, PhD, formerly of the Computer Science and 
Artificial Intelligence Laboratory at MIT 

Professor David Wagner, University of California at Berkeley 

Professor Dan W^ach, Rice University 

Matthew Zimmerman, Electronic Frontier Foundation 



260 


ABOUT THE EDITOR AND TASK FORCE CHAIR 

Lawrence Norden is an Associate Counsel with the Brennan Center, working in 
the areas of voting technology, voting rights, and government accountability. For 
the past year, Mr. Norden has led the Brennan Center's voting technology assess- 
ment project. He is the lead author of The Machinery of Democracy: Voting System 
Security, Accessibility, Usability, Cost (Brennan Center forthcoming 2006) and a con- 
tributor to Routledge's forthcoming Ejicyclopedia of American Civil Liberties. Mr. 
Norden edits and writes for the Brennan Center's blog on New York State, 
www.ReformNYblogspot.com. He is a graduate of the University of Chicago 
and the NYU School of Law. Mr. Norden serves as an adjunct faculty member 
in the Lawyering Program at the Benjamin N. Cardozo School of Law. He may 
be reached at lawrence.norden@nyu.edu. 

ABOUT THE BRENNAN CENTER 

The Brennan Center for Justice at NYU School of Law unites thinkers and advo- 
cates in pursuit of a vision of inclusive and effective democracy. The organiza- 
tion’s mission is to develop and implement an innovative, nonpartisan agenda of 
scholarship, public education, and legal action that promotes equality and human 
dignity, while safeguarding fundamental freedoms. The Center works in the areas 
of Democracy, Poverty, Criminal Justice, and Liberty and National Security. 
Michael Waldman is the Center’s Executive Director. 

ABOUT THE VOTING RIGHTS & ELECTIONS SERIES 

The Brennan Center’s Voting Rights & Elections Project promotes policies that 
protect rights to equal electoral access and political participation. The Project 
seeks to make it as simple and burden-free as possible for every eligible American 
to exercise the right to vote and to ensure that the vote of every qualified voter is 
recorded and counted accurately. In keeping with the Center’s mission, the Project 
offers public education resources for advocates, state and federal public officials, 
scholars, and journaUsts who are concerned about fair and open elections. For 
more information, please see www.brennancenter.org or call 212-998-6730. 

This paper is the second in a series, which also includes: 

Making the List: Database Matching and Verification Processes for Voter Registration by Justin 
Levitt, Wendy Weiser and Ana Munoz. 

Other resources on voting rights and elections, available on the Brennan Center’s 
website, include: 

Response to the Report of the 2005 Commission on Federal Election Reform (2005) (co- 
authored with Professor Spencer Overton) 

Recommendations for Improving Reliability of Direct Recording Electronic Voting Systems 
(2004) (co-authored with Leadership Conference on Civil Rights) 



261 


ACKNOWLEDGMENTS 

Most importantly, the Brennan Center thanks NIST and its many scientists for 
devoting so many hours to its extensive and thorough peer review of the analysis 
and report. The report, in its current form, would not exist without NIST’s many 
important comments and contributions. 

In particular, we thank John Kelsey of NIST for the substantial material and 
ideas he provided, which have been incorporated into the report and the report’s 
attack catalogs. We also specially thank Rene Peralta for his original contributions 
and analysis. Finally, we are enormously grateful to Barbara Guttman, John 
Wack and other scientists at NIST, who provided material for the attack catalogs, 
helped to develop the structure of the report, and edited many drafts. 

We are also extremely appreciative of Principal Investigator Eric Lazarus’s enor- 
mous efforts on behalf of this report. His vision, tenacity, and infectious enthusi- 
asm carried the team through a lengthy process of analysis and drafting. 

A special debt of gratitude is also owed to election officials throughout the coun- 
try, who spent many hours responding to surveys and interview questions related 
to this report. In addition to team members Professor Ronald Rivest and Dr. 
David Jefferson, we particularly thank Patrick Gill, Woodbury County Auditor 
and Recorder and Past President of the Iowa State Association of County 
Auditors; Elaine Johnston, County Auditor, Asotin County, Washington; Harvard 
L. Lomax, Registrar of Voters for Clark County, Nevada; Debbie Smith, 
Elections Coordinator, Caleveras County, California; Jocelyn Whitney, Developer 
and Project Manager for parallel testing activities in the State of California; 
Robert Williams, Chief Information Officer for Monmouth County, New Jersey; 
and Pam Woodside, former Chief Information Officer for the Maryland State 
Board of Elections. We would also like to acknowledge the National Committee 
for Voting Integrity for their cooperation and assistance in this effort. 

Jeremy Grecian, Associate Attorney at Jenner & Block LLP, deserves credit for 
conceiving, launching, and supervising the Brennan Center’s voting technology 
assessment project, including development of this report, as Deputy Director of 
the Center’s Democracy Program through February 2005. The Program misses 
him gready and wishes him well in private practice, where he continues to pro- 
vide invaluable pro bono assistance. 

The Brennan Center is grateful to Task Force member Lillie Coney, Associate 
Director of the Electronic Privacy Information Center. Among many other con- 
tributions, she provided invaluable assistance in assembling the Task Force, and 
frequently offered the Brennan Center sage strategic advice. 

This report also benefited greatly from the insightful and thorough editorial assis- 
tance of Deborah Goldberg, Director of the Brennan Center’s Democracy 



262 


Program. We are extremely grateful to P*rofessor Henry Brady of the University 
of California at Berkeley and Professor Benjamin Highton of the University of 
California at Davis for their insights into the possible effects of denial-of-service 
attacks on voting systems. The Brennan Center also thanks Bonnie Blader, inde- 
pendent consultant, who provided the Task Force with crucial research, David M. 
Siegel, independent technology consultant, for his original contributions on the 
subject of software code inspections, and Tracey Tail, Ph.D. candidate in 
Computer Science at Rutgers University, who contributed many hours of critical 
security analysis. Douglas E. Dormer, CPA, CTP provided invaluable assistance 
in developing the analysis methodology and in keeping the task force focused. 
Joseph Lorenzo Hall also must be thanked for helping the Task Force members 
understand the diversity and commonality in voting system architectures. Much 
of the legal research was conducted by Gloria Garcia and Juan Martinez, J.D. 
candidates at Benjamin N. Cardozo School of Law, and Annie Lai and S. 
Michael Oliver, J.D. candidates at NYU School of Law. Lowell Bruce McCulley, 
CSSP, was exceptionally helpful in creating the attack catalogs. Finally, we thank 
Brennan Center Research Associates Annie Chen, Lauren Jones, Ana Munoz, 
and Neema Trivedi for their many hours of dedicated assistance. 

Generous grants from an anonymous donor, the Carnegie Corporation of New 
York, the Ford Foundation, the HKH Foundation, the Knight Foundation, the 
Open Society Institute, and the Rockefeller Family Fund supported the develop- 
ment and pubUcation of this report. The statements made and views expressed 
in this report are the responsibility solely of the Brennan Center. 



263 


CONTENTS 

Introduction 1 

Limitations of Study 1 

Summary of Findings and Recommendations 3 

The Need for a Methodical Threat Analysis 6 

Recurrent, Systematic Threat Analyses of Voting Systems 

Are Long Overdue 6 

Solid Threat Analyses Should Help Make Voting Systems More Reliable 6 

Methodology 8 

Identification of Threats 8 

Prioritizing Threats: Number of Informed Participants as Metric 8 

Determining Number of Informed Participants 10 

Determining the Steps and Values for Each Attack 10 

Number of Informed Participants 

Needed to Change Statewide Election 11 

Limits of Informed Participants as Metric 12 

Effects of Implementing Countermeasure Sets 13 

Countermeasures Examined 14 

Basic Set of Countermeasures 14 

Inspection 14 

Physical Security for Machines 14 

Chain of Custody /Physical Security of 

Election Day Records 15 

Testing 15 

Regimen for Automatic Routine Audit 

Plus Basic Set of Countermeasures 16 

The Audit 16 

Transparent Random Selection Process 17 

Regimen for Parallel Testing Plus 

Basic Set of Countermeasures 18 

Parallel Testing 18 

Transparent Random Selection Process 19 

Representative Model for Evaluation of Attacks and Countermeasures; 

Governor’s Race, State of Pennasota, 2007 20 

Facts About Pennasota 20 

Evaluating Attacks in Pennasota 20 

Limits on Attacker 22 

Targeting the Fewest Counties 23 

Testing the Robustness of Our Findings 23 



264 


The Catalogs 24 

Nine Categories of Attacks 24 

Lessons from the Catalogs; Retail Attacks Should Not 

Change the Outcome of Most Close Statewide Elections 27 

Software Attacks on Voting Machines 30 

History of Software-Based Attacks 30 

Vendor Desire to Prevent Software Attack Programs 32 

Inserting the Attack Program 33 

Points of Attack: COTS and Vendor Software 33 

Points of Attack: Software Patches and Updates 35 

Points of Attack: Configuration Files and Election Definitions 35 

Points of Attack: Network Communication 36 

Points of Attack: Device Input/Output 36 

Technical Knowledge 36 

Election Knowledge 37 

Attacking the Top of the Ticket 37 

Parameterization 38 

Creating an Attack Program That Changes Votes 39 

Changing System Settings or Configuration Files 39 

Active Tampering with User Interaction or Recording of Votes ... .40 

Tampering with Electronic Memory After the Fact 40 

Eluding Independent Testing Authority Inspections 42 

Create Different Human-Readable and Binary Code 42 

Use Attack Compiler, Linker, Loader or Firmware 42 

Avoiding Inspection Altogether 43 

Avoiding Detection During Testing 44 

Avoiding Detection After the Polls Have Closed 44 

Deciding How Many Votes to Change 45 

Avoiding Event and Audit Logs 45 

Coordinating with Paper Record Attacks 46 

Conclusions 47 

Least Difficult Attacks Applied Against Each System 48 

Attacks Against DREs Without WPT 48 

Representative “Least Difficult” Attack: 

Trojan Horse Inserted Into Operating System 

(DRE Attack Number 4) 49 

Description of Potential Attack 49 

How the Attack Could Swing Statewide Election 50 

Effect of Basic Set of Countermeasures 51 

Effect of Regimen for Parallel Testing 52 

Infiltrating the Parallel Testing Teams 53 

Creating an Attack That Recognizes Testing 53 

Warning the Trojan Horse 54 



265 


Detecting the Test Environment 56 

Recognizing Voting Patterns 57 

Recognizing Usage Patterns 58 

Taking Action When Parallel Testing Finds Discrepancies . .59 

Conclusions and Observations 59 

Attacks Against DREs w/WPT 61 

Representative “Least Difficult” Attack: Trojan Horse 
Triggered with Hidden Commands in Ballot Definition 

File (DRE w/WPT Attack Number la) 62 

Attacking Both Paper and Electronic Records 

PRE w/WPT Attack Number 6) 65 

Paper Misrecords Vote 65 

Do Voters Review WPT? 66 

Effect of Regimen for Parallel Testing 

Plus Basic Set of Countermeasures 68 

Effect of Regimen for Automatic Routine Audit 

Plus Basic Set of Countermeasures 68 

Trojan Horse Attacks Paper at Time of Voting, 

Voters Fail to Review 69 

Co-opting the Auditors 71 

Replacing Paper Before the Automatic Routine 

Audit Takes Place 71 

Replacing Some Paper Records Merely to Add Votes 73 

Taking Action When Automatic 

Routine Audit Finds Anomalies 74 

Conclusions 75 

Attacks Against PCOS 77 

Representative “Least Difficult” Attack: Software Attack 

Inserted on Memory Cards (PCOS Attack Number 41) 78 

Description of Attack 78 

Effect of Basic Set of Countermeasures 80 

Effect of Regimen for Parallel Testing 

Plus Basic Set of Countermeasures 80 

Effect of Regimen for Automadc Routine Audit 

Plus Basic Set of Countermeasures 81 

PCOS Attack Number 42: Trojan Horse 

Disables Overvote Protections 81 

PCOS Attack Number 49: Attack on Scanner 

Configuration Causes Misrecording of Votes 82 

Conclusions 83 

Prevention of Wireless Communication: 

A Powerful Countermeasure for All Three Systems 85 


Security Recommendations 


.87 



266 


Directions for the Future 92 

Witness and Cryptographic Systems 92 

Informing Voters of Their Role in Making Systems More Secure 92 

Additional Statistical Technical Techniques to Detect Fraud 92 

Looking for Better Parallel Testing Techniques 93 

Looking at Other Attack Goals 93 

Looking at Other Races 93 

Glossary 94 

Endnotes 96 

Appendices 

Appendix A. Alternative Threat Analysis Models Considered 112 

Appendix B. Voting Machine Definitions 114 

Appendix C. Alternative Security Metrics Considered 115 

Appendix D. Brennan Center Security Survey 116 

Appendix E. Voting Machine Testing 119 

Appendix F. Example of Transparent Random Selection Processes . . .127 

Appendix G. Assumptions 129 

Appendix H. Tables Supporting Pennasota Assumptions 132 

Appendix 1. Denial-of-Service Attacks 136 

Appendix J. Chances of Catching Attack Program Through Parallel 

Testing 139 

Appendix K. Chances of Catching Attack Program Through the ARA .142 

Appendix L. Subverting the Audit 143 

Appendix M. Effective Procedures 

for Dealing With Evidence of Fraud or Error 147 

Figures 

Figure 1. Voting Systems 2 

Figure 2. Election for Governor, State of Pennasota, 2007 20 

Figure 3. Assumed Precautions T 2 iken by Attacker: 

Limits on the % of Votes Added or Subtracted for a Candidate 22 

Figure 4. Total Votes Johnny Adams Needs to Switch 

to Ensure Victory: 5 1 ,89 1 23 

Figure 5. Typical Flow of Information To and From Voting Machines . .24 

Figure 6. Software Attack Program: Points of Entry 34 

Figure 7. Possible Attack on DRE with VVPT 64 

Figure 8. Where 3% of Voters Check WPT 66 

Figure 9. Where 20% of Voters Check WPT 67 



267 


INTRODUCTION 

Problems with voting system security are making headlines like never before. The 
issue is attracting attention because of a number of factors; the rash of close, 
high-profile elections since 2000, greater attention to security since September 
1 1 , 200 1 , the recent shift in many states fiom mechanical to computerized voting 
systems, and high-profile reports about hacking of common electronic voting 
machines. 

Public attention to voting system security has the potential to be a positive force. 
Unfortunately, too much of the public discussion surrounding security has been 
marred by claims and counter-claims that are based on little more than specula- 
tion or anecdote. 

In response to this uninformed discussion, and with the intention of assisting elec- 
tion officials and the public as they make decisions about their voting machines, 
the Brennan Center for Justice at NYU School of Law assembled a Task Force of 
internationally renowned government, academic and private-sector scientists, 
voting machine experts, and security professionals to perform a methodical threat 
analysis of the voting s>^tems most commonly purchased today. This is, as far as 
we know, the first systematic threat analysis of these voting systems. The method- 
ology, anal)^is, and text were extensively peer reviewed by the National Institute 
of Standards and Technology (“NIST”). 

In this report, the Task Force reviews several categories of threats to the tech- 
nologies of three electronic voting systems. Direct Recording Electronic voting 
systems (“DREs”), DREs with a voter-verified auditable paper trail (“DREs 
w/WPT”) and Precinct Count Optical Scan (“PCOS”) systems. We then iden- 
tify, as against each system, the least difficult way for an attacker to change the 
outcome of a statewide election. And finally, we examine how much more diffi- 
cult different sets of countermeasures would make these least difficult attacks. We 
believe that this analysis, together with the concurrent findings and recommend- 
ed countermeasures, should assist jurisdictions decide which voting systems to 
certify or purchase, and how to protect those systems from security threats after 
they have been purchased. 

« LIMITATIONS OF STUDY 

As the first of its kind, this report is necessarily limited in scope. First, it is limit- 
ed to voting systems that are being \videly purchased tod(^. The study does not 
include threat analyses of, most notably, ballot-marking devices,' vote by phone 
systems,^ or ballot on demand, cryptographic, or witness voting systems.® Nor 
does this study consider early voting or voting that takes place through the mail.'^ 
We believe that the information and analysis included in this report can be used 
to perform threat analyses that include these systems and voting methods. 


This analysis should assist 
jurisdictions decide which 
voting systems to certify or 
purchase, and how to protect 
those systems from security 
threats after they have been 
purchased. 



268 


FfGURE 1 


Type of Voting System 


Direct 

Recording 

Electronic 

(DRE) 


ORE 

with Voter-Verified 
Paper Trail 
(DRE wAA/PT) 


Precinct Count 
Optical Scan 
(PCOS) 


THE MACHJNERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Second, our threat analysis is made in the context of a hypothetical statewide 
race. There is no reason why the methods used in this analysis cannot be applied 
to local (or national) races. We believe that such analyses would also be helpful in 
assisting jurisdictions with certification, purchase, and security decisions, but they 
were outside the scope of this study. 

Third, our study is limited to an analysis of technology-specific threats. There are 
many types of potential attacks on election accuracy and credibility. We have not 
analyzed technology-neutral threats such as voter intimidation, illegal manipula- 
tion of voter rolls, or purges of voter rolls. We believe that such threats must be 
addressed. Because these threats are not specific to any particular voting system 
they should have the same impact on elections, regardless of the type of sys- 
tem a jurisdiction uses), however, they were not part of our study. 


VOTING SYSTEMS 


Description of Voting System 
(described in f urtber detail in Appendix B) 


A DRE machine directly records the voter's 
selections in each contest, using a ballot that 
appears on a display screen. Typical DRE 
machines have flat panel display screens with 
touch-screen input, although other display 
technologies have been used. The defining 
characteristic of these machines is that votes 
are captured and stored electronically. 


A DRE w/WPT captures a voter's choice 
both internally in electronic form, and 
contemporaneously on paper. A DRE wA/VPT 
allows the voter to confirm the accuracy of 
the paper record to provide voter-verification. 


PCOS voting machines allow voters to mark 
paper ballots, typically with pencils or pens, 
independent of any machine. Voters then carry 
their sleeved ballots to a scanner. At the scan- 
ner, they un-sleeve the ballot and insert into 
the scanner, which optically records the vote. 


Examples of Voting System 


Microvote Infinity Voting Panel 
Hart InterCivic eSIate 
Sequoia AVC Edge 
Sequoia AVC Advantage 
ES&S iVotronic 
ES&S iVotronic LS 
Diebold AccuVote-TS 
Dieboid AccuVote-TSX 
UniLect Patriot 

ES&S iVotronic system 
with Real Time Audit Log 
Diebold AccuVote-TSX 
with AccuView printer 
Sequoia AVC Edge with VeriVote printer 
Hart InterCivic eSIate with WPAT 
UniLect Patriot with WPAT 

Diebold AccuVote-OS 
ES&S Model 100 
Sequoia Optech Insight 



269 


iNTRODUCTION 


3 


Fourth, our analysis assumed that certain fundamental ph 5 ^ica! security and 
accounting procedures were already in place. Without good procedures, no vot- 
ing system can be secured. We assumed the operation of a consistent set of pro- 
cedures drawn from interviews with election officiak in order to evaluate the 
number of informed participants involved in a given attack. All three systems are 
more \ajlnerable to attack if appropriate internal controls and procedures are not 
followed. 


All three systems are more 
vulnerable to attack if 
appropriate internal 
controls and procedures 
are not followed. 


Fifth, the report does not address other important factors that must be considered 
when making decisions about voting systems. Separate from ^ut concurrent with) 
its work with the Task Force on Voting System Security, the Brennan Center has 
completed a series of reports with task forces on wring system accessibility, usabil- 
ity and cost.^ In making decisions about their voting systems, jurisdictions must 
balance their security concerns with important concerns in these other areas. 

Finally, our study looks at the ability of persons to successfully execute an attack 
without detection. Ultimately it will be up to local jurisdictions to dev’elop clear 
policies and procedures to ensure that when they find evidence of fraud or acci- 
dent sufficient to change the outcome of a particular election, appropriate reme- 
dial action is taken. 


» SUMMARY OF FINDINGS AND RECOMMENDATIONS 

Three fundamental points emerge from our threat analysis: 

All three voting systems haw significant security and reliability vulnerabilities, 
which pose a real danger to the integrity of national, state, and local elections. 

s The most troubling vulnerabilities of each system can be substantially reme- 
died if proper countermeasures are implemented at the state and local level. 

Few jurisdictions have implemented any of the key countermeasures that 
could make the least difficult attacks against voting systems much more diffi- 
cult to execute successfully. 

Voting System Vulnerabilties 

After a review of more than 1 20 potential threats to voting systems, the Task 
Force reached the following crucial conclusions; 

For all three types of voting systems: 

Wffien the goal is to change the outcome of a close statewide election, attacks 
that involve the insertion of Software Attack Progran^ or other corrupt soft- 
ware are the least difficult attacks. 



270 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Voting machines tfiat have wireless components are significantly more vul- 
nerable to a wide array of attacks. Currently, only two states, New York and 
Minnesota, ban wireless components on all voting machines. 

For DREs loiAotU voter-verified paper trails; 

Si DREs without voter-verified paper trails do not have available to them a 
powerful countermeasure to software attacks: post-election Automatic 
Routine Audits that compare paper records to electronic records. 

For DREs w/WPT and PCOS: 

® lire voter-verified paper record, ^ itself, is of questionable security value. 
The paper record has significant value only if an Automatic Routine Audit is 
performed (and a well-designed chain of custody and physical security pro- 
cedures is followed). Of the 26 states that mandate voter-verified paper 
records, only 1 2 require regular audits. 

Even if jurisdictions routinely conduct audits of voter-verified paper records, 
DREs w/W'PT and PCOS are vulnerable to certain software attacks or 
errors. Jurisdictions that conduct audits of paper records should be aware of 
these potential problems. 

Security Recommendations 

There are a number of steps that jurisdictions can take to address the vulnera- 
bilities identified in the threat analysis and thus to make their voting systems sig- 
nificantly more secure. Specifically, we recommend adoption of the foUowing 

security measures: ® 

1 . Conduct Automatic Routine Audits comparing voter-verified paper records 
to the electronic record following every election. A voter-verified paper 
record accompanied by a solid Automatic Routine Audit of those records can 
go a long way toward making the least difficult attacks much more difficult. 

2. Perform “Parallel Testing” (selecting voting machines at random and testing 
them as realistically as possible) on Election Day. For paperless DREs, 
in particular, Parallel Testing will help jurisdictions detect software-based 
attacks as weU as subde software bugs that may not be discovered during 
inspection and other testing. The Task Force does not recommend Parallel 
Testing as a substitute for the use of voter-verified paper records with an 
Automatic Routine Audit. 

3. Ban use of voting machines with wireless components. All three voting sys- 
tems are more vulnerable to attack if they have wireless components. 



271 


INTRODUCTION 


5 


4. Use a transparent and random selection process for all auditing procedures. 
For any auditing to be effective (and to ensure that the public is confident in 
such procedures), jurisdictions must develop and implement transparent and 
random selection procedures. 

5. Ensure decentralized Programming and Voting System administration. 
Where a single entity, such as a vendor or state or national consultant, per- 
forms key tasks for multiple jurisdictions, attacks gainst statewide elections 
become easier. 

6. Institute clear and effective procedures for addressing evidence of fraud or 
error. Both Automatic Routine Audits and Parallel Testing are of question- 
able security value without effective procedures for action \\4iere evidence of 
machine malfunction or fraud is discovered. Detection of fraud without an 
appropriate response will not prevent attacks from succeeding. 

Fortunately, these steps are not particularly complicated or cumbersome. For the 

most part, they do not involve significant changes in system architecture. 

few jurisdictions have implemented any of the recommended countermeasures. 



272 


6 

Regular examinations of voting 
system security are necessary 
because we have not always 
successfully avoided attacks 
on voting systems 


THE NEED FOR 

A METHODICAL THREAT ANALYSIS 

Is an independent study of voting system security really necessary? Have we not 
managed, in our nation’s 230-year history, to avoid the kind of attacks about 
which certain advocates arc suddenly warning? 

M RECURRENT, SYSTEMATIC THREAT ANALYSES OF 
VOTING SYSTEMS ARE LONG OVERDUE 

The simple answer is diat regular examinations of voting system security are nec- 
essary because we have not always successfully avoided attacks on voting systems - 
in fact, various types of attacks on voting systems and elections have a “long tra- 
dition” in American history.’ The suspicion or discovery of such attacks has gen- 
erally provoked momentary outrage, followed by periods of historical amnesia.'^ 

In his 1934 book on this issue, Joseph Harris documented numerous cases of 
attacks on voting systems, including ballot box stuffing, alteration of ballots, sub- 
stitution of ballots, false counts, posting of false returns, and alteration of 
returns.^ More recent examples of tampering with voting systems have been 
exposed in the last two decades.'® 

In the past, when security and reliability issues surrounding elections have bub- 
bled to the surface of public consciousness, Americans have embraced new tech- 
nology. ' ’ It is therefore not particularly surprising that, following the controver- 
sial 2000 presidential elections, we have again turned to new voting machines to 
address our concerns. 

These new machines promise great advancements in the areas of accessibility 
and usability. But all technology, no matter how advanced, is going to be vulner- 
able to attack to some degree. Many of the vulnerabilities present in our new vot- 
ing technologies are the same that have always existed; some are new. 

The main lesson of the history of attacks on voting systems is that we would be 
foolish to assume there would not be attacks on voting systems in the future. The 
best that we can do is understand what vulnerabilities exist and take the proper 
precautions to ensure that the easiest attacks, with the potential to affect the most 
votes, are made as difficult as piossible. 

^ SOLID THREAT ANALYSES SHOULD HELP MAKE 
VOTING SYSTEMS MORE RELIABLE 


There is an additional benefit to this kind of analysis: it should help make our vot- 
ing systems more reliable, regardless of whether they are ever attacked. Computerized 
voting systems - like all previous voting systems - have shown themselves vulner- 



273 


THE NEED FOR A METHODICAL THREAT ANALYSIS 


able to error. Votes have been miscounted or lost as a result of defective 
firmware,'^ faulty machine software,*^ defective tally server software,*^ election 
programming errors,'^ machine breakdowns,** malfuncdonii^ input devices,'^ 
and p>oll worker error.'® 

As Professor Douglas Jones has noted: “An old maxim in the area of computer 
security is clearly applicable here: Almost everything that a malicious attacker 
could attempt could also happen by accident; for every malicious attacker, there 
may be thousands of people making ordinary careless errors.”*® Solid threat 
analyses should help to expose and to address vulnerabilities in voting systems, not 
just to security breaches, but also to simple malfunctions that could be avoided. 


The main lesson of the history 
of attacks on voting systems is 
that we would be foolish to 
assume there would not be 
attacks on voting systems 
in the future. 


Firmware is software 
that is embedded 
in the voting machine. 



274 


8 

Only by prioritizing these 
various threats could we help 
election officials identify 
which attacks they should 
be most concerned about, 
and what steps could be 
taken to make such attacks 
as difficult as possible. 


METHODOLOGY 

The Task Force concluded, and the peer review team at NIST agreed, that the 
best approach for comprehensively evaluating voting system threats was to: (1) 
identify and categoric the potential threats against voting systems, (2) prioritize 
these threats b^ed upon an agreed upon metric (which would tell us how diffi- 
cult each threat is to accomplish from the attacker’s point of view), and (3) deter- 
mine, utilizing the same metric employed to prioritize threats, how much more 
difficult each of the catalc^ed attacks w'ould become after various sets of coun- 
termeasures are implemented. 

This model allows us to identify' the attacks we should be most concerned about 
the most practical and least difficult attacks). Furthermore, it allows us to 
quantify the potential effectiveness of various sets of countermeasures {i.e., how 
difficult the least difficult attack is after the countermeasure has been imple- 
mented). Other potential models considered, but ultimately rejected by the Task 
Force, are detailed in Appendix A. 


IS IDENTIFICATION OF THREATS 

The first step in creating a threat model for voting systems was to identify as many 
potential attacks as possible. To that end, the Task Force, together with the par- 
ticipating election officials, spent several mondis identifying voting system vul- 
nerabilities. Following this work, NIST held a Voting Systems Threat Analysis 
Workshop on October 7, 2005. Members of the public were invited to write up 
and post additional potential attacks. Taken together, this work produced over 
120 potential attacks on the three voting systems. They are detailed in the cata- 
logs.'”’ Many of the attacks are described in more detail at http://vote.nist.gov/ 
threats/ papers.htm. 

The types of threats detailed in the catalogs can be broken down into nine cate- 
gories: (1) the insertion of corrupt software into machines prior to Election Day; 

(2) wireless and other remote control attacks on voting machines on Election Day; 

(3) attacks on tally servers; (4) miscalibration of voting machines; (5) shut-off of 
voting machine features intended to assist voters; (6) denial-of-service attacks; (7) 
actions by corrupt poll workers or others at the polling place to affect votes cast; 
(8) vote-buying schemes; and (9) attacks on ballots or WPT. Often, the actual 
attacks involve some combination of these categories. We provide a discussion of 
each type of attack in “Nine Categories of Attacks,” injra pp. 24-27. 


s PRIORITIZING THREATS: 

NUMBER OF INFORMED PARTICIPANTS AS METRIC 

Without some form of prioritization, a compilation of the threats is of limited 
value. Only b>' prioritizing these various threats could we help election officials 
identify which attads they should be most concerned about, and what steps 



275 


METHODOLOGY 


9 


could be taken to make such attacks as difficult as po^ible. As discussed below, we 
have determined the level of difficulty for each attack where the attacker is 
attempting to affect the outcome of a close statewide election.^' 

There is no perfect way to determine which attacks are the least difficult, because 
each attack requires a different mix of resources — well-placed insiders, money, 
programming skills, security expertise, etc. Different attackers would find certain 
resources easier to acquire than others. For example, election fraud committed by 
local elecdon officials would always involve well-placed insiders and a thorough 
understanding of elecdon procedures; at the same dme, there is no reason to 
expect such officials to have highly skilled hackers or first-rate programmers 
working with them. By contrast, election fraud carried out by a foreign govern- 
ment would likely start with plenty of money and technically skilled attackers, but 
probably without many convenientiy placed insiders or detailed knowledge of 
election procedures. 

Ultimately, we decided to use the “number of informed participants” as the met- 
ric for determining attack difficulty. An attack which uses fewer participants is 
deemed the easier attack. 

We have defined “informed participant” as someone whose participation is need- 
ed to make the attack work, and who knows enough about the attack to foil or 
expose it. This is to be distinguished from a participant who unknowingly assists 
the attack by performing a task that is integral to the attack’s successful execution 
without understanding that the task is part of an attack on voting systems. 

The reason for using the security metric “number of informed participants” is 
relatively straightforward: the larger a conspiracy is, the more difficult it would be 
to keep it secret. Where an attacker can carry out an attack by herself, she need 
only trust herself. On the other hand, a conspiracy that requires thousands of 
people to take part (like a vote-buying scheme) also requires thousands of people 
to keep quiet. The larger the number of people involved, the greater the likeli- 
hood that one of them (or one who was approached, but declined to take part) 
would either inform the public or authorities about the attack, or commit some 
kind of error that causes the attack to fail or become known. 

Moreover, recruiting a large number of people who are willing to undermine the 
integrity of a statewide election is also presumably difficult. It is not hard to imag- 
ine two or three people agreeing to work to change the outcome of an election. 
It seems far less likely that an attacker could identify and employ hundreds or 
thousands of similarly corrupt people without being discovered. 

We can get an idea of how this metric works by looking at one of the threats list- 
ed in our catalog: the vote-buying threat, where an attacker or attackers pay indi- 
viduals to vote for a particular candidate. This is Attack Number 26 in the PCOS 
Attack Catalog^^ (though this attack would not be substantially different against 



276 


10 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


While practical in smaller 
contests, a vote-buying attack 
would be an exceptionally 
difficult way to affect the 
outcome of a statewide 
election. 


For a discussion of other metrics we considered, but ultimately rejected, see 
Appendix G. 

DETERMINING NUMBER OE INFORMED PARTICIPANTS 
Is^^DETERMINING THE STEPS AND VALUES FOR EACH ATTACK 

The Task force members broke down each of the catalogued attacks into its nec- 
essary steps. For instance, Attack Number 12 in the PCOS Attack Catalog is 
“Stuffing Ballot Box with Additional Marked BaUots.”^^ We determined that, at 
a minimum, there were three component parts to this attack: (1) stealing or cre- 
ating the ballots and then marking them, (2) scanning marked ballots through the 
PCOS scanners, probably before the polls opened, and (3) modifying the poll 
books in each location to ensure that the total number of votes in the ballot boxes 
was not greater than the number of voters who signed in at the polling place. 

Task Force members then assigned a value representing the minimum number of 
persons they believed would be necessary to accomplish each goal. For PCOS 
Attack Number 12, the following values were assigned:^® 

Minimum number required to steal or create ballots: 5 persons total.^^ 

Minimum number required to scan marked ballots: 1 person per polling place 
attacked. 

Minimum number required to modify poll books: 1 person per polling place 
attacked.^ 

After these values were assigned, the Brennan Center interviewed several election 
officials to see whether they agreed with the steps and values assigned to each 
attack.^ WTien necessary, the values and steps were modified. The new catalog, 
including attack steps and values, were then reviewed by Task Force members. 
The purpose of this review was to ensure, among other things, that the steps and 
values were sound. 

These steps and values tell us how difficult it would be to accomplish a single attack 
in a single polling place. They do not tell us how many people it would take to change 


DREs or DREs wA^TT).^® In order to work under our current types of voting 
systems, this attack requires (1) at least one person to purchase votes, (2) many 
people to agree to sell their votes, and (3) some way for the purchaser to confirm 
that the voters she pa)^ actually voted for the candidate she supported. 
Ultimately, we determined that, while practical in smaller contests, a vote-buying 
attack would be an ^ceptionally difficult way to affect the outcome of a 
statewide election. Thk is because, even in a typically close statewide election, an 
attacker would need to involve thousands of voters to ensure that she could affect 
the outcome of a statewide race.^^ 



277 


METHODOLOGY 


the outcome of an election successfully - that depends, of couree, on specific facts 
about the jurisdiction: how many votes are generally recorded in each polling 
place, how many polling places are there in the jurisdiction, and how close is the 
race? For this reason, we determined that it was necessary to construct a hypo- 
thetical jurisdiction, to which we now' turn. 

©IS® NUMBER OF INFORMED PARTICIPANTS 

NEEDED TO CHANGE STATEWIDE ELECTION 

We have decided to examine the difficulty of each attack in the context of chang- 
ing the outcome of a reasonably close statewnde election. While we are concerned 
by potential attacks on voting systems in any type of election, we are most trou- 
bled by attacks that have the potential to affect large numbers of votes. These are 
the attacks that could actually change the outcome of a statewide election with 
just a handful of attack participants. 

We are less troubled by attacks on voting systems that can only affect a small num- 
ber of votes (and might therefore be more useful in local elections). This is 
because there are many non-system attacks that can also affect a small number of 
votes {i.e., sending out misleading information about polling places, physically 
intimidating voters, submitting multiple absentee ballots, etc.). Given the fact that 
these non-system attacks are likely to be less difficult in terms of number of par- 
ticipants, financial cost, risk of detection, and time commitment, we are uncer- 
tain that an attacker would taiget voting machines to alter a small number of votes. 

In order to evaluate how difficult it would be for an attacker to change the out- 
come of a statewide election, we created a composite jurisdiction. The compos- 
ite jurisdiction was created to be representative of a relatively close statewide elec- 
tion. We did not want to examine a statewide election where results were so 
skewed toward one candidate (for instance, the re-election of Senator Edward M. 
Kennedy in 2000, where he won 73% of the vote^, that reversing the election 
results would be impossible without causing extreme public suspicion. Nor did we 
want to look at races where changing only a relative handful of votes (for 
instance, the governor’s race in Washington State in 2004, which was decided by 
a mere 129 votes^') could affect the outcome of an election; under this scenario, 
many of the potential attacks would involve few people, and therefore look equal- 
ly difficult. 

We have named our composite jurisdiction “the State of Pennasota.” The State 
of Pennasota is a composite of ten stales: Colorado, Florida, Iowa, Ohio, New 
Mexico, Pennsylvania, Michigan, Nevada, Wisconsin and Minnesota. These 
states were chosen because they were the ten “battleground” states that Zogby 
International consistently polled in the spring, summer, and fall 2004.^ These 
are statewide elections that an attacker would have expected, ahead of time, to 
be fairly close. 



278 


12 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


We have also created a composite election, which we label the “Governor’s Race” 
in Pennasota. The resulte of thb election are a composite of the actual results in 
the same ten states in the 2CH}4 IVesidential Election. 

We have used these composites as the framework by which to evaluate the diffi- 
culty of the various catalogued attacks.*® For instance, we know a ballot-box stuff- 
ing attack would require rou^Iy five people to create and mark fake ballots, as 
well as one person per polling place to stuff the boxes, and one person per polling 
place to modify the poll books. But, in order to determine how many informed 
participants would be needed to affect a statewide race, we need to know how 
many polling places would need to be attacked. 

The composite jurisdiction and composite election provide us with information 
needed to answer these questions: i.e., how many extra votes our attackers would 
need to add to their favored candidate’s total for him to win, how many ballots 
our attackers can stuff into a particular polling place’s ballot box without arous- 
ing suspicion (and related to this, how many votes are generally cast in the aver- 
age polling place), how many polling places are there in the state, etc. We provide 
details about both the composite jurisdiction and election in the section entitled 
“Governors Race, State of Pennasota, 2007,” infra pp. 20-23. 


mm LIMITS OF INFORMED PARTICIPANTS AS METRIC 

Of the possible metrics we considered, we believe that measuring the number of 
people who know they arc involved in an attack (and thus could provide evidence 
of the attack to the authorities and/or the media), is the best single measure of 
attack difficulty; as already discussed, we have concluded that the more people an 
attacker is forced to involve in his attack, the more likely it is that one of the par- 
ticipants would reveal the attack’s existence and foil the attack, perhaps sending 
attackers to jail. However, we are aware of a number of places where the 
methodology could provide us with questionable results. 


Steganography is "the art and 
science of writing hidden messages 
in such a way that no one apart 
from the intended recipient knows 
of the existence of the message. " 


By deciding to concentrate on the size of an attack team, we mostly ignore the 
need for other resources when planning an attack. Thus, a software attack on 
DREs which makes use of steganogrs^hy®* to hide attack instruction files (see 
“DRE w/\^VFT Attack Number la,” discussed in greater detail, infra pp. 62--64) 
is considered easier than an attack program delivered over a wireless network at 
the polling place (see discussion of wireless networks, infra pp. 85- 86). However, 
the former attack probably requires a much more technologically sophisticated 
attacker. 


Another imperfection with this metric is that we do not have an easy way to rep- 
resent how much choice the attacker has in finding members of his attack team. 
Thus, with PCOS voting we conclude that the cost of subverting a routine audit 
of ballots is roughly equal to the cost of intercepting ballot boxes in transit and 
substituting altered baUots (s^ discussion of PCOS attacks, infra pp. 77—84). 



279 


METHODOLOGY 


13 


Flowever, subverting the audit team requires ^tting a specific set of trusted peo- 
ple to cooperate with the attacker. By contrast, the attacker may be able to decide 
which precincts to tamper with based on which people she has already recruited 
for her attack. 

In an attempt to address this concern, we considered looking at the number of 
“insiders” necessary to take part in each attack. Under this theory, getting five 
people to take part in a conspiracy to attack a voting s)^tem might not be partic- 
ularly difficult. But getting five well-placed county election officials to take part in 
the attack would be (and should be labeled) the more difficult of the two attacks. 
Because, for the most part, the low-cost attacks we haw identified do not neces- 
sarily involve well placed insiders (but could, for instance, involve one of many 
people with access to commercial off-the-shelf software (“COTS”) during devel- 
opment or at the vendor), we do not believe that using this metric would have 
substantially changed our analysis.^ 

Finally, these attack team sizes do not alwa^'s capture the logistical complexity of an 
attack. For example, an attack on \^VP'r machines involving tampering with the 
voting machine software and also replacing the paper records in transit requires the 
attacker to determine what votes \rere falsely produced by the voting machine and 
print replacement records in time to substitute them. While this is clearly possible, 
it raises a lot of operational difficulties - a single failed substitution leaves the pos- 
sibility that the attack would be detected during the audit of ballots. 

We have tried to keep these imperfections in mind when analyzing and discussing 
our least difficult attacks. 

We suspect that much of the disagreement between voting officials and comput- 
er security experts in the last several years stems from a difference of opinion in 
prioritizing the difficulty of attacks. Election officials, with extensive experience 
in the logistics of handling tons of paper ballots, have litde faith in paper and 
understand the kind of breakdowns in procedures that lead to tradidonai attacks 
like ballot box stuffing; in contrast, sophisticated attacks on computer voting sys- 
terhs appear very difficult to many of them. Computer security experts under- 
stand sophisticated attacks on computer systems and recognize the availability of 
tools and expertise that makes these attacks practical to launch, but have no clear 
idea how they would manage the logistics of attacking a paper-based system. 
Ixioking at attack team size is one way to bridge this difference in perspective. 

» EFFECTS OF IMPLEMENTING COUNTERMEASURE SETS 

The final step of our threat analysis is to measure the effect of certain counter- 
measures against the catalogued attacks. How' much more difficult would the 
attacks become once the countermeasures are put into effect? How many more 
informed participants (if any) would be needed to counter or defeat these coun- 
termeasures? 



280 


14 


THE MACHINERY OF DEMOCRACY; PROTECTiNG ELECTIONS IN AN ELECTRONIC WORLD 


Our process for examining the effectiveness of a countermeasure mirrors the 
process for determining the dfficulty of an attack; we first asked whether the 
countermeasure would allow us to detect an attack with near certainty. If we 
agreed that the countermeasure would expose the attack, we identified the steps 
that would be necessary to circumvent or defeat the countermeasure. For each 
step to defeat the countermeasure, we determined the number of additional 
informed participants ^ any) that an attacker would need to add to his team. 

As with the process for determining attack difficulty, the Brennan Center inter- 
viewed numerous election officials to see whether they agreed with the steps and 
values assigned. When necessary, the values and steps for defeating the counter- 
measures were altered to reflect the input of election officials. 

^ COUNTERMEASURES EXAMINED 
BASIC SET OF COUNTERMEASURES 

The first set of countermeasures we looked at is the “Basic Set” of countermea- 
sures. This Basic Set was derived from security survey responses^® we received 
from county election officials around the country, as well as additional interviews 
with more than a dozen current and former election officials. Within the Basic 
Set of countermeasures are the following procedures: 

Ixispection 

The jurisdiction is not knowingly using any uncertified software that is sub- 
ject to inspection by the Independent Testing Authority (often referred to as 
the ‘TTA”).3^ 

Physical Security for Machines 

^ Ballot boxes (to the extent they exist) are examined (to ensure they are empty) 
and locked by poll workers immediately before the polls are opened. 

Before and after being brought to the polls for Election Day, voting systems 
for each county are locked in a single room, in a county warehouse. 

i The warehouse has perimeter alarms, secure locks, video surveillance and 
regular visits by security guards. 

S Access to the warehouse is controlled by sign-in, possibly with card keys or 
similar automatic logging of entry and exit for regular staff. 

® Some form of “tamper-evident” seals are placed on machines before and 
after each election. 



281 


METHODOLOGY 


The machines are transported to polling locations five to fifteen days before 
Election Day. 

Ghain of Gustody/Physical Security of Election Day Records 

At close of the polls, vote tallies for each madiine are totaled and compared 
with number of persons that have signed the poll books. 

A copy of totals for each machine is posted at eadt polling place on election 
night and taken home by poll workers to check against what is posted pub- 
licly at election headquarters, on the web, in the papers, or elsewhere.^ 

US All audit information (i.e., Event I^gs, WPT records, paper ballots, machine 
printouts of totals) that is not electronically transmitted as part of the unoffi- 
cial upload to the central election office, is delivered in official, sealed and 
hand-delivered information packets or boxes. Ail seals are numbered and 
tamper-evident. 

i!a Transportation of information packets is completed by two election officials 
representing opposing parties who hav'e been instructed to remain in joint 
custody of the information packets or boxes fi"om the moment it leaves the 
precinct to the moment it arrives at the county election center. 

Si! Each polling place sends its information packets or boxes to the county elec- 
tion center separately rather dian having one truck or person pick up this 
data from multiple polling locations. 

Si Once the sealed information packets or boxes have reached the county elec- 
tion center, they are logged. Numbers on the seals are checked to ensure that 
they have not been replaced. Any broken or replaced seals are logged. Intact 
seals are left intact. 

After the packets and/or boxes have been logged, they are provided with 
physical security precautions at least as great as those listed for voting 
machines, above. Specifically, for Pennasota, we have assumed that the room 
in which the packets are stored has perimeter alarms, secure locks, video sur- 
veiDance and regular visits by security ^ards and county police officers, and 
that access to the room is controlled by sign-in, possibly with card keys or sim- 
ilar automatic logging of entry and exit for regular staff 

Testing^® 

s An Independent Testing Authority has certified the model of voting machine 
used in the polling place. 



282 


16 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


P Acceptance Testing^ performed on machines at the time, or soon after, 
they are receive by the County. 

Pre-election Logic and Accuracy"^' testing is performed by the relevant elec- 
tion official. 

Prior to opening the poUs, every voting machine and vote tabulation system 
is checked to see that it is stili configured for the correct election, including 
the correct precinct, ballot style, and other applicable details. 


REGIMEN FOR AUTOMATIC ROUTINE AUDIT 
PLUS BASIC SET OF COUNTERMEASURES. 

The second set of countermeasures is the Regimen for an Automatic Routine 
Audit Plus Basic Set of Countermeasures. 

Some form of routine auditing of voter-verified paper records to test the accura- 
cy of electronic voting machines occurs in 12 states. They generally require that 
between 1 and 10% of all precinct voting machines be audited after each elec- 
tion.^^ 

Jurisdictions can implement this set of countermeasures only if their voting sys- 
tems produce some sort of voter-verified paper record of each vote. This could 
be in the form of a paper ballot, in the case of PCOS, or a voter-verified paper 
trail (“WPT”), in the case of DREs. 

We have assumed that jurisdictions take the following steps when conducting an 
Automatic Routine Audit (when referring to this set of assumptions “Regimen for 
an Automatic Routine Audit”): 


The Audit 

^*5 Leaders of the major parties in each county are responsible for selecting a 
sufficient number of audit-team members to be used in that county. 

SB Using a highly transparent random selection mechanism {see infra p. 1 7), the 
voter-verified paper records for a small percentage of all voting machines in 
the State are selected for auditing. 

BS Using a transparent random selection method, auditors are assigned to the 
selected machines {two or three people, with representatives of each major 
political party, would comprise each audit team). 


The selection of voting machines and the assignment of auditors to machines 
occurs immediately before the audit takes place. The audit takes place as 



283 


METHODOLOGY 


17 


soon as possible after polls dose - for example, at 9 a.m. the morning after 
polls dose. 

§! Using a transparent random selection method, county police officers, securi- 
ty personnel and the video monitor assigned to guard the voter-verified 
records are chosen from a large pool of on-duty officers and employees on 
election night. 

The auditors are prodded the machine tallies and are able to see that the 
county tally reflects the sums of the machine tallies before the start of the 
inspection of the paper. 

The audit would include a tally of spoiled baOots (in the case of WPT. the 
number of cancellations recorded), overvotes, and undervotes. 

Transparent Random Selection Process 

In this report, we have assumed that random auditing procedures are m place for 
both the Regimen for an Automatic Routine Audit and Regimen for Parallel 
Testing {See infra p. ! 8). We have further assumed pnDcedures to prevent a single, 
corrupt person from being able to fix the results. This implies a kind of trans- 
parent and public random procedure. 

For the Regimen for an Automatic Routine Audit there are at least two places 
where transparent, random selection processes are important: in the selection of 
precincts to audit and in the assignment of auditors to the precincts they will be 
auditing 

Good election security can employ Transparent Random Selection in other 
places with good effect: 

The selection of parallel testers from a pool of qualified individuals. 

“S The assignment of police and other security professionals from on-duty lists 
to monitor key materials, for example, the V^’PT records between the time 
that they arrive at election central and the time of the completion of the 
Automatic Routine Audit. 

If a selection process for auditing is to be trustworthy and trusted, ideally: 

The whole process will be publicly observable or videotaped;"** 

The random selection will be publicly verifiable, Le., anyone observing will be 
able to verify that the sample was cho.sen randomly (or at least that the num- 
ber selected is not under the control of any small number of people); and 



284 


18 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


is The process will be simple and practical within the context of current election 
practice so as to avoid imjjosii^ unnecessary burdens on election officials. 

There are a number of ways that election officials can ensure some kind of trans- 
parent randomness. One way would be to use a state lottery machine to select 
precincts or polling places for auditing. We have included two potential examples 
of transparent random selection processes in Appendix F. These apply to the 
Regimen for Parallel Testing as well. 

REGIMEN FOR PARALLEL TESTING PLUS BASIC SET OF COUNTERMEASURES 

The final set of countermeasures we have examined is the Regimen for Parallel 
Testing Plus Basic Set of Countermeasures. Parallel Testing, also known as elec- 
tion-day testing, involves selecting voting machines at random and testing them 
as realistically as possible during the period that votes are being cast. 

Parallel Testing 

In developing our set of assumptions for Parallel Testing, we relied heavily upon 
interviews with Jocelyn Whitney, Project Manager for Parallel Testing in the State 
of California, and conclusions drawn from this Report.'^^ In our analysis, we 
assume that the following procedures would be included in the Parallel Testing 
regimen (when referring to this regimen “Regimen for Parallel Testing”) that we 
evaluate: 

At least two of each DRE model (meaning both vendor and model) would be 
selected for Parallel Testing. 

™ At least two DREs from each of the three largest counties would be parallel 
tested. 

Counties to be parallel tested would be chosen by the Secretary of State in a 
transparent and random manner. 

Counties would be notified as late as pos.sible that machines from one of their 
precincts would be selected for Parallel Testing.^'’ 

Precincts would be selected through a transparent random mechanism. 

^ A video camera would record testing. 

® For each test, there would be one tester and one observer. 


Parallel Testing would occur at the polling place. 



285 


METHODOLOGY 


19 


' The script for Parallel Testing would be generated in a way that mimics voter 
behavior and voting patterns for the polling place. 

Si': At the end of the Parallel Testing, the tester and observer would reconcile 
vote totals in the script with vote totals reported on the machine. 

Transparent Random Selection Process 

We further assume that the same type of transparent random selection process 
that would be used for the Regimen for Automatic Routine Audit would also be 
employed for the Regimen for Parallel Testing to determine which machines 
would be subjected to testing on Election Day. 



286 


20 


REPRESENTATIVE MODEL FOR EVALUATING 
ATTACKS AND COUNTERMEASURES: 

governor’s race, 

STATE OF PENNASOTA, 2007 

In this section, we provide the assumptions that we have made concerning (1) the 
governor’s race in the State of Pennasota, and (2) the limitations that our attack- 
er would face in attemptir^ to subvert that election. 

r. FACTS ABOUT PENNASOTA 

In creating our a^umptions for the Pennasota’s gubernatorial race, we have aver- 
aged the results of the 2(X)4 Presidential Election in ten “battleground” states. 
Based upon this awrage, wc have assumed that 3,459,379 votes would be cast in 
Pennasota’s gubernatorial election. The average margin of victory in the 1 0 bat- 
tleground states was 2.3%. Accordingly, we assumed that this would be the mar- 
gin of victory between the two main candidates in our hypothetical election (in 
total votes, this is 80,257). 


FIGURES 

ELECTION FOR GOVERNOR, STATE OF PENNASOTA, 2007 


Cand(clat« 

Party 

Total Votes 

Percentage of Votes 

Tom Jefferson 

Dem-Rep 

1,769,818 

51.1 

Johnny Adams 

Federalists 

1,689,650 

48.8 


A table that documents all of the relevant numbers for Pennasota and the 2007 
gubernatorial election is provided in Appendix G.^ 

m EVALUATING ATTACKS IN PENNASOTA 

To complete our analysis, we ran each attack through the 2007 governor’s race 
in Pennasota. The goal was to determine how many informed participants would 
be needed to move the election from Tom Jefferson to Johnny Adams. 

We have assumed that our attacker would seek to cheuige these results so that 
Johnny Adams is assured victory. Accordingly, although the election is decided by 
2.3% of the vote, we have calculated that the attacker’s goal is to (1) add 3.0% (or 
103,781 votes) to Johnny Adams total, (2) subtract 3.0% of the total votes from 
Tomjeffemin, or (3) switch 1.5% (or 51,891 votes) from Tom Jefferson to Johnny 
Adams. ^ 

By examining a particular attack in the context of our goal of changing the 
results of Pennasota’s 2007 governor’s race, it becomes clear how' difficult an 
attack actually would be. Eariier, we assigned the following steps and values for 



287 


REPRESENTATIVE MODEL FOR EVALUATION OF ATTACKS AND COUNTERMEASURES' GOVERNOR'S RACE.PENNASOTA, 2007 21 


PCOS Attack 12 (“Stuffing Ballot Box with Additional Mariced Ballots”): 

Minimum number required to steal or create ballots:^' 5 persons total 

Minimum number required to scan the ballots: 1 person per polling place 
attacked. 

Minimum number required to modify poll books: 1 person per polling place 
attacked. 

Our attacker seeks to use the “ballot-stuffing attack” to add 103,781 votes to 
Johnny Adams’ total. There are approximately 1 142 voters per polling place in 
the State of Pennasota.^^ Theoretically, our attacker could add 103,781 votes for 
Johnny Adams in the boxes of three or four polling places and her favored can- 
didate would win. In this case, she would only need to involve a dozen people 
(including herself) to carry out the attack successfully; five to create the ballots, 
three or four to stuff the boxes, and three or four to modify (and add to) the poll 
books. 

As a practical matter, of course, this attempt at ballot stuffing would not work. 
Someone (and, more likely, many people) would notice if a few polling places that 
normally recorded I lOQ-1200 votes were suddenly reporting 25,000 votes each 
for Johnny Adams. 

We have assumed that in order to avoid detection our attacker could add no more 
than 15% of the total votes in a particular polling place for Johnny Adams {see 
“Limits on Attacker,” infra p. 22, for further discussion). Accordingly, our formu- 
la for determining how many polling places she must target is as follows: 

number of 

polling places targeted = (total voces that must be added) / 

[(total number of votes per pK>Uing place) x 
(percent that may be taken from any polling place)] 

or, in actual numbers: 
number of 

polling places targeted = 103,781 / (1,142 x 15%) = 606 

From this we learn that attempting to change a statewide election by scanning in 
extra marked ballots would be extremely difficult. More specifically, it w'ould like- 
ly require more than 1 ,000 informed participants: 5 to create/steal and mark the 
appropriate ballots, plus 606 to place ballots in separate ballot boxes in each 
polling place, plus 606 to modify the poll books in each polling place. It is unlike- 
ly that (1) an attacker could find so many people willing to participate in such an 
attack without inadvertently soliciting someone who would expose the plot, (2) all 
1 ,000 participants would keep silent about the attack, and (3) even if ail 1 ,000 
solicited persons agreed to take part in the attack, and none of them purposeful- 
ly exposed the plot, that no one would get caught perpetrating the conspiracy.^^ 



288 


22 THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

» LIMITS ON ATTACKER 

We have assumed th^ our attacker would prefer that her actions not raise undue 
suspicion. Accordingly, we have placed some limits on the type of actions our 
attacker could take. As just demonstrated by looking at the bailot-stufBng attack, 
these limits can furdier help us determine how difficult a particular attack would 
be {ie., how many informed participants the attacker would need to involve). 

Perhaps most importantly, we have assumed our attacker would not want to add 
or subtract more than 10% of the votes for a candidate in any one county (or 
switch more than 5% from one candidate to another), for fear that a greater 
change would attract siBpicion. We believe that this is a conservative estimate, but 
the reason for creating some kind of cap should be obvious: if enough votes are 
switched in a specific location, it would eventually become apparent that some- 
thing has gone wrong (whether throu^ fraud or error). 

We can see this by looking at a specific example from an actual election. In 2004, 
in heavily Democratic Cook County; Illinois, John Kerry receiv'ed 59% of the 
vote and George Bush received 40%.^* It is unlikely that, just by looking at vote 
totals for Cook County, anyone would have assumed that there was fraud or error 
if John Kerry received 63% or 55% of the countywide vote. On the ot her hand, 
if John Kerry received less than 50% or more than 70% of the vote in Cook 
County, these totals would (at the very least) attract attention and increase the 
likelihood that there would be some investigation. This would be particularly true 
if John Kerry’s totals were otherwise within reasonable expectations in other 
counties in Illinois and around the country. An attacker would seek to avoid such 
an extraordinary aberration. 

For the same reasons, we have put limits on the number of votes an attacker 
would seek to change in a single polling place or a single machine. We have 
assumed that a swing of greater than 15% in any single polling place or 30% on 
any single machine would attract too much suspicion. Therefore, an attacker 
would avoid adding or subtracting more than these numbers of votes per polling 
place and machine.^^ 


FIGURE 3 

ASSUMED PRECAUTIONS TAKEN BY ATTACKER: 

LIMITS ON THE % OF VOTES ADDED OR SUBTRACTED FOR A CANDIDATE 


Maximum % Votes Added or Subtracted Per County 10% (5% switch) 

Maximum % Votes Added or Subtracted Per Polling Place 15% (7.5% switch) 
Maximum % Votes Added or Subtracted Per Voting Machine 30% (15% switch) 



289 


REPRESENTATIVE MODEL FOR EVALUATION OF ATTACKS AND COUNTERMEASURES; GOVERN 

TARGETING THE FEWEST COUNTIES 

As will be discussed, infra'^'p. 71-74, many attacks would be easier to execute, and 
more difficult to detect, if they were limited to a small number of counties or 
polling places. Given the limits we have set on our attacker, we have concluded 
that, to change enough votes to affect the outcome of our statewide election, she 
would have to attack a minimum of three counties.^ These would be the three 
largest counties in the State of Pennasota (where there are enough votes to swing 
the statewide election).^’ This conclusion is supported in the table below. 


FIGURE 4 

TOTAL VOTES JOHNNY ADAMS NEEDS TO SWITCH TO ENSURE VICTORY: 51.891 



Actual Vote^® 

Number of Votes 
Switthed 

% of OHinty Votes 
Switched 

New Total 

Mega County 


23,453 

4.4% 


Jefferson (D-R) 

194,848 



171,395 

Adams (F) 

336,735 



360,188 

Capitol County 


17,306 

4.8% 


Jefferson (D-R) 

157,985 



140,679 

Adams (F) 

202,556 



219,862 

Suburbia County 


11,132 

4.2% 


Jefferson (D-R) 

128,933 



117,801 

Adams (F) 

135,003 



146,135 

Statewide Totals 


51,891 



Jefferson (D-R) 

1,769,818 



1,717,927 

Adams (F) 

1,689,561 



1,741,452 


m TESTING THE ROBUSTNESS OF OUR FINDINGS 

To ensure that the results of our analysis were robust and not limited to the com- 
posite jurisdiction of Pennasota, we ran our threat analysis against the results of 
the 2004 presidential race in Florida, New Mexico and Pennsylvania, and came 
up with substantially similar conclusions. Specifically, all of the findings and rec- 
ommendations in the Introduction {supra pp. 1-5) still applied. 

We also re-ran our analysis in Pennasota, but changed the limits on our attacker, 
allowing her to change many more votes on a single machine and attempt to 
change the governor’s race in a single {i.e., “Mega”) county. Again, ail eight of the 
finding listed in the Introduction still applied. 


CS RACE. PENNASOTA, 2007 23 

We ran our threat analysis 
against the results of the 2004 
presidential race in Florida, 

New Mexico and Pennsylvania. 



290 


24 


THE CATALOGS 

As already discussed, we have catalogued over 1 20 potential attacks on voling sys- 
tems. These faU into nine categories, which cover die diversity and breadth of 
voting machine vulnerabilities.^® 

® NINE CATEGORIES OF ATTACKS 

One way of thinking about the voting process is to view it as a flow of informa- 
tion: the vendor and programmers present the voter with information about her 
election choices via the voting machine; the voter provides tlie vodng machine 
with her choices; the voter’s choice Ls then tallied bv' the voting machines, and this 
tallied information is (at the close of the polls) provided to poll workers; from the 
polling place, the vote tallies (w'hether in paper, electronic, or both forms) from all 
voting machines are sent to a county tally center; from there countyvvide totals 
are reported to state election officials and the media. 

Attacks on voting systems are attacks on this flow of information. If we view the 
nine categories in the context of this flow, we gel a better idea of how they might 
be accomplished. 


FIGURE 5 


TYPICAL FLOW OF INFORMATION TO AND FROM VOTING MACHINES 


BEFORE PURCHASE 


AFTER PURCHASE 


ELECTION DAY 


;■ COTS Updates Patches 

VENDOR 


system ^ftware 
Updates; Patches 




COUNT^HiCnON CENTRAL 
(Voting Machines Stored) 




Software • 
Upgrades ; 
Patches / 


. Memory Cards 
, SaWot Oefinition Files 
, Cortfiguration Files 


ELEaidW OFFICIALS 
POLL WORKERS 
VOTERS 


resiing 

Setup 

Voting 




V0WI6 

smtMs 



System Prototypes 
Specs and Source Code 


INOE^NDENT 

TESTING 

A^OWn 


'■>/ 


_ lytacWne ratals Ta//ied_ 


P0LUN5 PLACE 
_(5iot»ng Machines 




Unofficial Polkng Place Data 
Sent via Modem aiid I or Hand Carried 


COai^lStLY 
SERVER . 


ST^EOfftCE 


A 

MEDIA 



291 


THE CATALOGS 


25 


1 . The Insertion of Corrupt Software Into Machines Prior to Election Day. This 
is an attack on the voting machine itself, and it occurs before the voting machine 
even reaches the polling place. Someone with access to voting machines, software, 
software updates, or devices inserted into voting machines (such as printers or 
memory cards) introduces corrupt software (such as an Attack Program) that 
forces the machine to malfunction in some way. We can see by looking at the 
chart that there are several points of attack that exist before a machine reaches 
the polling place. The malfunction triggered by the corrupt software could, 
among other things, cause the machine to misrecord votes, add or lose votes, skip 
races, perform more slowly or break down altogether. 

One challenge associated with this attack is that it is likely to be operationally and 
technically difficult to carry out successfully. A second problem is that, because 
this attack occurs before Election Day, the attacker would not necessarily have the 
flexibility to adjust her attack to new facts learned immediately before or on 
Election Day (such as changes in the dynamics of the race, including which can- 
didates are running or how many votes are likely to be needed to ensure a par- 
ticular outcome). T his type of attack is discussed in “Software Attacks on Voting 
Machines,” infra pp. 30-T7). 

2. Wireless and Other Remote Control Attacks. This is also a direct attack on the 
voting machine. But unlike the “Inserdon of Corrupt Software” attack discussed 
above, this attack can happen on, or immediately before, Elecdon Day (it could 
also happen much earlier). 


This type of attack is often imagined in conjuncdon with corrupt software 
attacks. Machines with wireless components are pardcularly vulnerable to such 
attacks. Using a wireless PDA or any other device that allows one to access wire- 
less networks, an attacker could instruct a machine to activate (or turn of!) a 
Software Attack Program, send its own malicious instructions, or attempt to read 
data recorded by the machine. 


Personal digital assistants (PDAs or 
palmtops) are handheld devices 
orignally designed as personal 
organizers. PDAs can synchronize 
data vvirelessly with a computer. 


3. Attacks on Tally Servers. The tally server is a central tabulator which calculates 
the total votes for a particular jurisdiction (generally at the county level). This attack 
would occur after the polls have closed and the machines have recorded votes. 


An attack on a tally server could be direct {e.g., on the database that totals votes) 
or indirect {e.g., by intercepting a communication to the server). In either case, the 
attacker would attempt to change or delete the totals reported by the tally server, 
or the data used to compute those totals. 


4. Miscalibration of Machines. All three voting systems use some method to inter- 
pret and electronically record the voter’s choice. At the close of an election, the 
machine reports (in electronic and printed form) its tally of the votes. For all three 
systems, if a machine is not calibrated correctly, it could favor one candidate over 
another. 



292 


26 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


We can use the DRE as an example. Let us return to the governor’s race in 
Pennasota: in that race, a touch on the left half of the DRE screen should be 
recorded as a vote for Tom Jefferson; a vote on the right half of the screen should 
be recorded as a vote for Johnny Adams. The DRE could be miscalibrated so that 
touches on the left side, close to the center of the screen, are recorded for Johnny 
Adams rather than Tom Jefferson. 

An obvious problem with this specific example is that most voters who pressed 
“Jefferson” close to the center of the screen would note on the confirmation 
screen that their vote had been misrecorded; they would reject the Adams vote 
and try again. But some might not notice that their vote was misrecorded. In 
these cases, the miscalibration would take votes away from Jeffei^on and add 
votes to Adams’ total. 

5. Shut Off Voting Machine Features Intended to Assist Voters. This is another 
attack that is directed at the machine itself For all three systems, there are many 
features that are intended to assist voters in ensuring that their choices are record- 
ed correctly. By disabling one of these features, an attacker can ensure that some 
votes would not be accurately recorded. 

By way of example, let us return to Pennasota, but this time consider the PCOS 
machine. PCOS machines have an over/undervote protection that is intended to 
make sure that voters vote in every race. If a voter accidentally votes for two can- 
didates in the governor’s race, the scanner should return the ballot to her without 
recording any votes. Until she erases one of her choices for governor, or indicates 
to the machine that she does not want her vote for governor to count, her ballot 
would not be recorded. 

If our attacker is a poll worker who wants Adams to win and works in a polling 
place where nearly all voters intend to vote for Jefferson, she could manually shut 
off the over/undervote protection. Given the fact that most voters in this polling 
place want to vote for Jefferson, the chances are that Jefferson would lose some 
votes as a result. As with the miscalibration attack, this attack does not have to be 
manual; a Software Attack Program inserted before Election Day could also 
attempt to shut off such machine functions. 

6. Denial-of-Service Attacks. This covers a broad range of attacks. In essence, this 
attack is meant to keep people from voting, by making it difficult or impossible to 
cast a vote on a machine. The attack could be lodged directly upon the machine: 
for instance, by insertion of corrupt software, as discussed above, or by physical- 
ly destroying a machine or machines. 

Again, looking at the governor’s race in Pennasota, our attacker would likely tar- 
get machines and polling places where she knows most voters would support Tom 
Jefferson. 



293 


THE CATALOGS 27 

7. Actions by Corrupt Poll Workers or Others at the Polling Place to Affect Votes The least difficult attacks 
Cast. In our catalogs, these attacks range from activating a Software Attack are centralized attacks that 
Program already inserted into a voting machine, to shutting off vnting machine occur against the entire 
functions (discussed above), to giving poor instructions or misleading information voting system. 

to certain voters. It could involve an attack on the machines themselves, upon vot- 
ers, or upon information meant to be transported from |X>lling places to tally cen- 
ters. This attack could also include prox’iding incomplete or inaccurate instruc- 
tion to poll workers. 

8. Vote-Buying Schemes. This type of attack already discussed, supra 
pp. 9~10. As noted, such attacks would require so many informed participants 
that they are unlikely to affect a statewide election without beii^ exposed. 

9. Attacks on Ballots or WPT This type of attack could occur at many points. 

Some jurisdictions purchase their ballots directly from a wndor. Others get their 
ballots from the county election office. In either c^e, ballots could be tampered 
with before they reach the polling place. Both ballots and the WPT could be 
tampered with at the polling place, or as they are transported to the county tally 
center. Finally, in states that have Automatic Routine Audits or recounts of voter- 
verified paper records, ballots and WFI’ a)uld be tampered with prior to the 
audit at the county offices or tally center. 

» LESSONS FROM THE CATALOGS: 

RETAIL ATTACKS SHOULD NOT CHANGE 

THE OUTCOME OF MOST CLOSE STATEWIDE RACES 

The catalogs show us that it is x-ery difficult®^ to successfully change the outcome 
of a statewide election by implementing “retail” attacks on a large scale. Retail 
attacks are attacks that occur at individual polling places, or during the transport 
of hardware and/or ballots to and from individual polling places. We have found 
that these attacks would require too many participants and garner too few votes 
to have a good chance of swinging a statewide election like the governor’s race In 
Pennasota. 

In contrast, the least difficult attacks are centralized attacks that occur against the 
entire voting system. These attacks allow an attacker to target many votes with 
few fellow conspirators. 

To see why retail attacks are unlikely to change the outcome of most close 
statewide elections, it is useful to look to see how a typical retail threat listed in 
our catalog might affect the totals in Pennasota’s governor’s race. Attack 20 in the 
DRE w/WPT catalog is the “Paper Trail Boycott” attack.®' In this attack, an 
attacker would enlist voters in polling places where her favored candidate is 
expected to do poorly. Each of the enlisted voters complains to the poll workers 
that no matter how many times the voter tries, the paper trail record never cor- 
responds to his choices. The election officials would have no choice but to remove 



294 


28 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


the “offendii^’ machines from service. This would reduce the number of avail- 
able machines, creating a “botdeneck” where voters would have to wait in long 
lines. Ultimately, some voters would give up and leave the lines without voting. 

There is one step to this attack, but it must be repeated many limes: voters must 
falsely complain that the machines are not recording their votes correcdy 

Again, we assume that the conspiring voters would want Tom Jefferson to lose a 
net total of 103,781 votes (there is no switching of votes in this scenario; the 
attackers hope is that their botdeneck would prevent many of Tom Jefferson’s 
supporters from voting, thus reducing his vote total). 

We have assumed that if five voters in a short period of time report that the same 
machine is not recording their vote correctly, poll workers would be forced to shut 
it down. As already discussed, the average number of voters per polling place in 
the State of Pennasota is 1 142. Based upon a statistical analysis performed by 
Professor Benjamin Highton at the University of California at Davis for this 
report, we estimate that if the attackers shut down three machines in a single 
polling place, the long lines created by the botdeneck would keep 7.7% of voters 
from voting in every affected precinct*’^ This means that roughly 88 voters per 
affected polling place (or 7.7% of 1 142) would decide not to vote because of the 
bottleneck. 

But not all of these voters would be Jefferson voters. Even if all of the affected 
polling places favored Tom Jefferson by 9 to 1, the botdeneck would cause both 
candidates to lose some votes. Presumably, for every 9 Jefferson voters turned 
away, I Adams voter would also decide not to vote. This means that, if this attack 
were limited to polling places that heavily favored Tom Jefferson, the effect would 
be to cause a net loss of 70 votes for Tom Jefferson per polling place (Tom 
Jefferson would lose 79, or 90% of the votes lost in each affected polling place, 
but Johnny Adams would lose 9, or 10%). 

Based upon this informadon, we can determine how many polling places would 
need to be targeted: 

number of 

polling places targeted = (total votes targeted) / 

(net number of votes lost by creating bottleneck) 


or, in actual numbers: 
number of 

poDing places targeted = 103,781 / 70 = 1,483 

This represents more than one-third of all polling places in Pennasota. It is 
doubtful that one-third of all poDing places in Pennasota would be skewed so 
heavily toward Jefferson. Professor Henry Brady of the University of California 



295 


THE CATALOGS 


29 


at Berkeley recently performed an analysis of election resuite in heavily 
Democratic Broward and Palm Beach counties in the 2000 election. See 
Appendix I. Even in those counties, only 21.4% and 14.8% of precincts, respec- 
tively, reported more than 80% of voters votii^ for A1 Gore; furthermore, only 
10.3% and 6.5% (respectively) reported 90% or more voting for Gore. 

But even if we were to presume that there were enough polling places to allow 
this attack to work, there are other problems. First, the attack would probably be 
exposed: if thousands of machines were reported to have malfunctioned in 
polling places, but only where Jefferson was heavily favored, someone would 
probably notice the pattern. 

Moreover, the number of informed participants necessary to carry out this attack 
makes it, in all likelihood, unworkable. The attack would need over 20,000 par- 
ticipants: 5 attackers per machine x 3 machines per polling place x 1 ,483 polling 
places. 

All other “retail” attacks in the catalog require many hundreds or thousands of 
co-conspirators. For the reasons already discussed, we believe this makes these 
attacks very difficult to execute successfully in a statewide election. 

In contrast, “wholesale” attacks allow less than a handful of individuals to affect 
many votes - enough, in some cases, to change the result of our hypothetical gov- 
ernor’s race. The least difficult of these wholesale attacks are attacks that use 
Software Attack Programs. The following section discusses the feasibility of these 
attacks, which we have identified as the “least difficult” set of attacks against all 
three voting systems. 



296 


A Trojan Horse is a destructive 
program that masquerades as < 
benign program. 


SOFTWARE ATTACKS ON VOTING MACHINES'* 

As already discussed, st^?m p. 6, attacks on elections and voting systems have a 
long history in the United States. One of the primary conclusions of this report 
is that, widi the new primacy of electronic voting systems, attacks using Trojan 
horses or other Software Attack Programs provide the least difficult means to 
affect the outcome of a statewide election using as few informed participants as 
possible. 

This conclusion runs counter to an assertion that many skeptics of these attacks 
have made, namely that it is not realistic to believe that attackers would be sophis- 
ticated enough to create and successfully implement a Software Attack Program 
that can work without detection. After careful study of this issue, we have con- 
cluded that, while operationally difficult, these threats are credible. 

m HISTORY OF SOFTWARE-BASED ATTACKS 

Those skeptical of software attacks on wring machines point to the fact that, up 
to this point, there is no evidence that a software attack has been successfully car- 
ried out against a voting system in the United States. However, the best piece of 
evidence that such threats should be taken seriously is that, in the last several 
years, there have been increasingly sophisticated attacks on non-voting computer 
systems. 

Among the targets have been: 

US government systems, including those containing classified data;®® 

^ Financial systems, including attacks that gained perpetrators large sums of 
money;®® 

s? Content protection systems intended to stand up to extensive external 
attack;®^ 

Special-purpose cryptographic devices intended to be resistant to both soft- 
ware and physical attack;®® 

^ Cryptographic and security software, designed specifically to resist attack,'’® and 

Attacks on gambling machines, which are subject to strict industry and gov- 
ernment regul^ion.'® 

We learn of more attacks on non-voting systems all tlie time. But, even with this 
increased knowledge, have probably only learned of a small fraction of the 
attacks that have occurred. For each high-profile case of eavesdropping on cell 
phones or review of e-mails or pager messages, there are, in all probability, many 



297 


SOFTWARE ATTACKS ON VOTING MACHINES 


cases where the attacker’s actions remain unknown to the public at large. For 
every case where financial data is tampered with and the theft is discovered and 
reported, there are certainly cases where it is never detected, or is detected but 
never reported. 

In addition to the attacks already listed, we also have seen the rise of sophisticat- 
ed attacks on widely-used computer systems (desktop PCs) for a variety of crimi- 
nal purposes that allow criminals to make money: 

’Hi Activities/ methods like phishing (spam intended to get mers to disclose pri- 
vate data that allow an attacker to steal their money) and pharming (exploita- 
tion of DNS^‘ to rediiect legitimate web traffic to illegitimate sites to obtain 
private data) continue to grow.’^ 

Extortion against some computer sites continues, with an attacker threaten- 
ing to shut down the site via a distributed denial-of-serviccs (DDOS) attack, 
or the posting of confidential information, unless she is paid off.^^ 

: I.a,rge networks of “bots” - innocent users’ computers that have been taken 

over by an attacker for use in the kinds of attacks already referenced, are 
bought, sold and rented.’^ 

The sophistication of these attacks undermines the argument that attackers 
“wouldn’t be smart enough” to carry out a software attack on voting systems. 
Many existing attackers have already shown themselves to be sophisticated enough to 
cairy out these types of attacks. In fact, given the slakes involved in changing the 
outcome of a statewide or national election, there is good reason to believe that 
many who would have an interest in affecting such outcomes are far more sophi.s- 
ticaied than recent attackers who have hacked or violated well-protected govern- 
ment and private industry systems. 

Still, there are several reasons to be skeptical of software-based attacks, and the 
rest of this section attempts to address the main challenges an attacker using this 
method of attack would face: 

1 . Overcoming Vendor Motivation. The vendor has an economic interest in 
preventing attackers from infiltrating their machines with Software Attack 
Programs. 

2. Finding an Insertion Opportunity. An attacker would have to gain access to 
a place that would allow her to insert the Software Attack Program in the 
machine. 

3. Obtaining Technical Knowledge. An attacker would have to know enough to 
develop a Software Attack Program tliat can function successfully in a voting 
terminal. 


31 

Many existing attackers have 
already shown themselves to be 
sophisticated enough to carry 
out these types of attacks. 


Domain Name System (DNS) 
is a distributed database that 
stores mappings of Internet 
Protocol addresses and host 
names to facilitate user-friendly 
web browsing. 



298 


32 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


4. Obtaining Election Knowledge. An attacker may need to know a lot about 
the ballots and voting patterns of different precincts to create a Software 
Attack Progr^n that w'orits and docs not create undue suspicion. 

5. Changing Votes. Once an attacker has sufficient knowledge about the ballots 
and election, she would need to create a program that can change vote totals 
or otherwise affect the outcome of an election. 

6. Eluding Inspection. An attack would have to avoid detection during inspec- 
tion, 

7. Eluding Testing and Detection Before, During, and After the Election. An 
attacker would have to avoid detection during testing. 

8. Avoiding Detection After Polls Close, Even after an attack has successfully 
changed the electronic record of votes, an allacker w'ould still need to ensure 
that it is not discovered later. 

We review each of these barriers to successful software-based attacks in turn. 

s VENDOR DESIRE TO PREVENT 
SOFTWARE ATTACK PROGRAMS 

Voting machine vendors have many reasons to want to protect their systems from 
attack. The most obvious reason is economic: a system that is shown to be vul- 
nerable to attack is less likely to be purchased. 

Unfortunately, the fact that vendors have incentives to create secure systems does 
not mean that their systems are as secure as they should be. The CERT 
(Computer Emergency Readiness Team) Coordination Center, a federally fund- 
ed research and development center operated by Carnegie MeUon University, 
reported nearly 6,000 computer system vulnerabilities in 2005 alone. This includ- 
ed vulnerabilities in two operating systems frequently used on voting machines; 
2,328 \'uinerabilities on the Linux and Unix operating systems and 8 1 2 vulnera- 
bilities in Microsoft Windows operating systems.’’ Many of these vulnerabilities 
leave machines open to “viruses and other programs that could overtake” them.” 

Moreover, it is not clear that vendors are doing everything they can to safeguard 
their systems from attack. As noted in a recent Government Accountability Office 
report on electronic voting systems, several state election officials, computer secu- 
rity and elecUon experts have criticized vendors for, among other things, their (1) 
personnel security policies, questioning whether they conduct sufficient back- 
ground checks on programmers and systems developers, and (2) internal security 
policies, questioning whether such policies have been implemented and adhered 
to during software development. ” 



299 


SOFTWARE ATTACKS ON VOTING MACHINES 


Even assumuig that vendors adhere to the strictest personnel and security poli- 
cies, it is stil! possible that they would hire employees who abuse their positions to 
place corrupt software into voting machines. A sin^e, ill-intentioned employee 
could cause tremendous damage. This is illustrated by the case of Ron Harris, “a 
mid-level computer technician” for Nevada’s Gaming Control Board.^® Mr. 
Harris hid a Software Attack Program in dozens of video-poker and slot 
machines in the early 1990s. The attack program allowed accomplices to trigger 
jackpots by placing bets in a specific order. Mr. Harrk was eventually caught 
because he became too brazen: by the mid-1990s, he began using an attack pro- 
gram against the gaming machines based on the card game “Keno.” When his 
accomplice attempted to redeem a $100,000 jackpot, officials became suspicious 
and she was ultimately investigated and caught.’® 

In any event, as demonstrated below, an attacker need not be employed at a ven- 
dor to insert an attack program into voting machines. She can choose se\'eral 
points to insert her attack, and many of them do not originate at the vendor. 

^ INSERTING THE ATTACK PROGRAM 

In this subsection, we look at some of the points where an attacker could insert 
her attack program. As illustrated by the chart on the next page, the attack pro- 
gram could be inserted while the machine is stUl in the hands of the vendor, after 
it has been purchased, and even on Election Day. Insertion into (!) Commercial 
Off I'he Shelf (COTS) softw-are used on all voting machines, (2) COTS patch- 
es®” and updates, and (3) ballot definition files,®' may be particularly attractive 
because these are not currently subject to inspection by independent testers. 
Given their size and complexity, it is hard to imagine that a thorough review of 
them would be practical, even if the COTS vendors were willing to provide 
access to their source code for inspection. 

m POINTS OF ATTACK: COTS AND VENDOR SOFTWARE 

The process for developing voting s)'stem software is not dramatically different 
from the development of any other type of software or operating systems. 
Vendors develop a set of requirements for their machines; a team of program- 
mers is subsequently assembled to apply those requirements by developing new 
code, and then integrating the new code with old code and COTS sofhvare; after 
the new code is written and integrated, a separate team of emplo>'ees test the 
machines; when the testers find bug^, diey send the new software back to the pro- 
grammers (which may include new team members) to develop patches for the 
bugs. 

There are a number of opportunities to insert a Software Attack Program during 
this process;®' 


33 

A single, ill-intentioned 
employee could cause 
tremendous damage. 


A patch is a small piece of software 
designed to update or fix problems 
in a computer program. 

Ballot definition files tell the voting 
machine how to interpret, display 
and record the voter's selections 



300 


34 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


The attack program could be part of COTS software that was purchased for 
use on the voting system. The current voting systems standards exempt unal- 
tered COTS softwme from inspection by an Independent Testing Authorily.^^ 

5“ The attack program could be written into the vendor code by a team mem- 
ber at the vendor. 

FIGURE 6 

SOFTWARE ATTACK PROGRAM; POINTS OF ENTRY 


Not Subject to IT^ Inspection CONTRACTORS/ 

S'jBCONTRACTORS 





OPE 


'Not Subject to ITA Inspection 



A cryptic knock is an action 
taken by a user of the machine 
that triggers a response 
by the embedded attack program. 
The cryptic knack could come 
in different forms depending 
on the attack program: 
voting for a write-in candidate, 
tapping a specific spot 
on the touch-screen, 
a communication via wireless 
network, etc. 




301 


SOFTWARE ATTACKS ON VOTING MACHINES 


35 


The attack program could be hidden within the operating system using 
rootkit'like techniques, or perhaps a commercial lootkit for the underlying 
operating system. 

The attack program could be written into one of the patches that is devel- 
oped after the vendor’s testers find bugs. 

The attack program could be written by someone at the vendor after it has 
passed the vendor’s testing. 


Anyone with access to the 
voting system software before 
it has been installed on the 
voting machines may install 
an attack program. 

A rootkit is a set of software tools 
used by an intruder to maintain 
access to a computer system 
without the user's knowledge- 


It is worth noting that even tampering with the software in the initial voting ^stem 
w not limited to programmers worhmgfor the voting system vendor. COrS software wiiters, 
who may themselves l>e contractors or subcontractors of the oi^inal company 
that sold the COTS software to vTiting systems vendors, arc in a very good posi- 
tion to insert an attack program. 


Further, anyone with access to the voting system software before it has been 
installed on the voting machines may install an attack program. This could include 
people with access to tlie software during dewlopment, storage, or testing 


POINTS OF ATTACK: SOFTWARE PATCHES AND UPDATES 

COTS software is often supplemented by patches and updates that can add fea- 
tures, extend the software’s capabilities {e.g., by supporting more assistive technol- 
ogy or a larger set of screen characters for alternate-language voting) or fix prob- 
lems discovered after the software was sold. This is an obvious attack point. 'Ihe 
attack program may be inserted by someone working for the COTS software ven- 
dor, or by someone working at the voting system vendor, or by the election offi- 
cial handling the instJiliation of patdies and updates. 'Die patch or update can be 
installed before or afler the voting machine has left the vendor. 


POINTS OF ATTACK: 

CONFIGURATION FILES AND ELECTION DEFINITIONS 

As discussed, supra endnote 81, ballot definition files allow the machine to (1) dis- 
play the races and candidates in a given election, and (2) record the votes cast. 
Ballot definition files cannot be created until shortly before an election, when all 
of the relevant candidates and races for a particular jurisdiction are known. An 
attacker could take over the machine by inserting improperly formed files at the 
time of Ballot Definition Configuration. Two separate reports have demonstrat- 
ed that it may be possible to alter the ballot definition files on certain DREs so 
that the votes shown for one candidate are recorded and counted for another.^ 
The Task Force knows of no reason why PGOS systems would not be similarly 
vulnerable to such an attack. 


Ballot definition files are not subject to testing by Independent Testing Authorities 



302 


36 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Two separate reports have 
demonstrated that it may be 
possible to aiter the baiiot 
definition files on certain DREs 
so that the votes shown for 
one candidate are recorded 
and counted for another. The 
Task Force knows of no reason 
why PCOS systems would not 
be similarly vulnerable to such 
an attack. 


and cannot be because they are developed for specific jurisdictions and elections, 
after certification of a votii^ system is complete.'*® 

mm POINTS OF ATTACK: NETWORK COMMUNICATION 

As will be discussed in greater detail, infra pp. 85-86, some voting systems use 
wireless or wired network connections. If there is a vulnerability in the configu- 
ration of the voting machine (^ain, by design or error), this can allow an attack- 
er to insen an attack program via the wireless connection. 

POINTS OF ATTACK: DEVICE IMPUT/OUTPUT**^ 

Some voting s)^tems involve the use of an external device such as a memory card, 
printer, or smart card. In some cases, the ability to use these devices to c^hange 
votes has been demonstrated in the laboratory For example, Harri Hursti, a 
member of the Task Force, has demonstrated that memory cards (which gener- 
ally contain, among other things, the ballot definition files) can be used to create 
false wte totals on a particular brand of PCOS, and conceal this manipulation 
in reports to election officials generated by the scanners.'''’ This was recently 
demonstrated again in a test performed by election officials in Leon County, 
Florida.®^ Several computer security experts who have reviewed other PCOS sys- 
tems believe that they may be vulnerable to similar attacks.^ 


DREs have also been shovm to be vulnerable to attacks from input devices. In a 
“Red Team” exercise^' for the State of Maryland in January 2004, RABA 
Technologies, LLC demonstrated that smart cards (which are used as both super- 
visor and voter access cards) on one model of DRE could be manipulated to 
allow a voter to vote multiple times. 


SB TECHNICAL KNOWLEDGE 

Just because there are opportunities to insert a Software Attack Program does not 
mean that an attacker would have the knowledge to create a program that works. 
It is not difficult to understand how hackers could gain enough knowledge to cre- 
ate attack programs that could infiltrate common operating systems on personal 
computers: the operating systems and personal computers are publicly available 
commercial products. A hacker could buy these products and spend months or 
years learning about them before creating an effective attack program. 

How would an attacker gain enough knowledge about voting s)^tems to create an 
attack program that worked? These are not systems that general members of the 
public can buy. 

We believe there are a number of way's an attacker could gain this knowledge. 
First, she might have worked for (or received assistance from someone who 
worked for) one of the voting system vendors. Similarly, she could have worked 



303 


SOFTWARE ATTACKS ON VOTING MACHINES 


37 


for one of the independent testing authorities or state qualiilcation examiners. 

Alternatively, the attacker could hack into vendor or testing ^thority networks. 
This could allow her to gain important knowled^ about a voting machine’s soft- 
ware and specifications. 


Responses to our security 
surveys showed that there 
are many points where physical 
security for voting machines 
is surprisingly !ax. 


Finally, an attacker could steal or “borrow” a voting machine. Access to voting 
machines will be very important to an attacker as she develops her Software 
Attack Program; this will not necessarily be an overwhelming obstacle. Machines 
are often left in warehouses and polling places for months in between elections. 
Responses to our security survey's showed that there are many points where phys- 
ical security for voting macliines is surprisingly lax: about half of the counties 
responding to the security survey stated that they did not place tamper-evident 
seals on machines during the months the machines were in storage; several coun- 
ties stated that they did not take inventory of voting machines in betw’een elec- 
tions; in one county, voting machines were placed under a blanket in the back of 
an office cubicle when not in use.^’^ Hackers have repeatedly shoum their ability 
to decipher software and develop attack programs by “reverse engineering” their 
target machines; there is no reason to believe they could not apply these skills to 
voting machines.^^ 


w ELECTION KNOWLEDGE 

An attacker could be required to insert the Software Attack Program before ail 
facts about the election are known. Many points of insertion discussed above 
[supra pp. 33-36) would require the attacker to create an attack program before 
she could possibly know whkJt candidates were running or where various races 
would be placed on ballots. Different jurisdictions could decide to place that same 
race in different positions on the ballot {%.€., as the third race as opposed to the 
fourth). 


ATTACKING THE TOP OF THE TICKET 

We believe this problem could be overcome, particularly where the attacker 
sought to shift votes at the “top” of the ticket -- as would be the case in an attempt 
to affect the governor’s race in Pennasota in 2007. Here, in a software update or 
patch that is sent before a particular election, the attacker could merely ask the 
machine to switch one or two voles in the first race in the next election. Since the 
Federalists and the Democratic-Republicans are the two main parties in 
Pennasota, the attacker would know that their candidates for governor would be 
listed in the first and second columns in the governor’s race. Even if the attacker 
is not certain whom tlie Federalists or Democratic-Republicans are going to select 
as candidates at the time when she inserts the attack program, she could still cre- 
ate a successful program by instructing the machine to switch a certain number 
of votes in the first (governor’s) race from the Democratic-Republicans (column 
“2”) to the Federalists (column “1”). 



304 


38 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Moreover, we have turned that our attacker is smart enough to avoid switching 
so many votes diat her attack would arouse suspicion. By switching 7.5% or fewer 
votes per machine, our attacker need not be particular about which machine she 
attacks. She could create a program that only activates on every fourth or fifth 
machine. 

PARAMETERIZATION 

It is possible that our attacker would be more cautious: perhaps she w'ould limit 
her attack to certain counties or precincts. Perhaps in some jurisdictions the gov- 
ernor’s race won’t be listed as the first race. Or perhaps her opportunity to insert 
the attack program came a year before the governor’s race, when she wasn’t sure 
who the candidates would be and whether she would want to attack the election. 

In such cases, the attacker could “parameterize” her attack. Under this scenario, 
the attacker would create an attack program and insert it in the original software, 
or software updates. The attack program would not specify which race to attack 
or how. Instead, it would wait for certain commands later; these commands 
would tell it which votes to switch. 

These commands could come from many sources, and could be difficult for any- 
one other than the attacker to find. R)r instance, the commands could come from 
the ballot definition file.^ The original attack program could provide that if there 
is an extra space after the last name of the second candidate for a particular race 
in a ballot definition file, five votes in that race should be switched from the sec- 
ond column to the first. By waiting to provide these commands until the ballot 
definition files are created, the attackers could affect a race with great specificity 
- instructing the attack program to hit specific precincts in specific ways. 

Of course, this is a more difficult attack: it requires more steps and more 
informed participants (both the original programmer and the person to insert the 
commands in the ballot definition file). In the specific example we have provided, 
it would also require someone with insider access to die ballot definition files. 

But this type of attack would be attractive because it would give the attacker a 
great deal of flexibility Moreover, the commands could come from sources other 
than the ballot definition files. If the voting machines have wireless components, 
the attacker could activate her attack by sending commands over a wireless PDA®^ 
or laptop. Or she could send these commands through a Cryptic Knock®® during, 
for instance, voting or Ixigic and Accuracy testing.®’ For example, an insider 
responsible for developing the Logic and Accuracy scripts could have all the 
testers type in a write-in candidate for the ostensible purpose of ensuring that the 
write-in function is working. The spelling of the name of that wite-in candidate 
could encode information about what races and ballot items should be the target 
of the attack. Testers following the script would unknowingly aid the attack. 



305 


SOFTWARE ATTACKS ON VOTING MACHINES 


39 


s CREATING AN ATTACK PROGRAM 
THAT CHANGES VOTES 

Even if the attacker possessed sufEcienl knowledge about voting systems and spe- 
cific elections before she inserted her attack program, she would need to figure 
out a way to create a tampering program that alters votes.® Without getting into 
the fine details, this subsection will summarize a number of methods to accom- 
plish this goal. 

CHANGING SYSTEM SETTINGS OR CONFIGURATION FILES 

Configuration Files are files that are created to oiganire and arrange the system 
settings for voting machines. The system settings control the operation of the vot- 
ing machine: for instance, setting parameters for what kind of mark should count 
as a vote on the PGOS ballot, instructing the PGOS scanner to reject ballots that 
contain overvotcs, setting parameters for dividing a DRE screen vviien there are 
multiple candidates in the same race, or providing a time limit for voters to cast 
their votes on DREs. 

An attack program that altered the system settings or Configuration Files could 
be buried in a Driver or program that is only run when the voting has started, or 
work ofl' of the voting machine clock, to ensure that it is triggered at a certain 
time on Election Day Among the attacker’s many options within this class of 
attack are: 

m Swap contestants in the ballot definition or other files, so that, for instance, a 
vote for Tom Jefferson is counted as one for Johnny Adams (and vice versa). 
This is an attack: that was described in the RABA Technologies report on an 
intrusion performed for the state of Maryland.® 

ss Alter Configuration Files or system settings for the touch-screen or other user 
interface device, to cause the machine to cause differential error rates for one 
side. For instance, if our attacker knew that voters for Tom Jefferson were 
more likely to overvote or undervote the first time they filled out their ballots, 
she could install a software attack that shut off the overvote/undervote pro- 
tection in several PCOS scanners - see infra p. 81 for a discussion of this 
attack. 

Alter Configuration Files or system .settings to make it easier to skip a contest 
or misrecord a vote accidentally {e.g., by increasing or decreasing touch-screen 
sensitivity or misaligning the touch-screen). 

!S Alter Configuration Files or system settings to change the beharfor of the vot- 
ing machine in special cases, such as when voters flee (for instance, recording 
a vote for Johnny Adams when a voter leaves the booth wdthout instructing 
the machine to accept her ballot). 



306 


40 

The attack that introduces 
biased errors into the voter's 
interaction with the voting 
system is especially useful 
for attacking DRE wAA/PT 
and PCOS systems since the 
attacked behavior, if detected, 
is indistinguishable from 
user error. 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


There are at least two potential operational difficulties an attacker would have to 
overcome once she inserts this type of attack program: (1) she would need to con- 
trol the tr^er time of the ^tack so as to avoid detection during testing; and (2) 
she would want to maJce sure that the changes made are not entered into the 
pA’cnt Lo^, in case they ate checked after the polls have closed. Ways of over- 
coming these challenges are discussed injra pp. 42-44 and 44-46. 

ACTIVE TAMPERING WITH USER INTERACTION 
OR RECORDING OF VOTES 

In this ty 7 >e of attack, the attack program triggers during voting and interferes in 
the interaction between the voter and the voting system. For exaniple, the attack 
program may: 

Tamper with the voter interaction to introduce an occasional “error” in favor 
of one contestant {and hope that the voter does not notice). This is the 
“Biased Error” attack. 

Tamper with the voter interaction both at the time the voter enters his vote 
and on the verification screen, so that the voter sees consistent feedback that 
indicates his vote was cast correctly, but the rest of the voting mac-hines soft- 
ware sees the changed vote. 

Tamper with the electronic record written after the verification screen is 
accepted by the voter - e.g., by intercepting and altering the message con- 
taining results before they arc written in the machine’s electronic record, or 
any time before end-of-election-day tapes (which contain the printed vote 
totals) are produced and data are provided to election officials. 

This class of attack seems to raise few operational difficulties once the attack pro- 
gram is in place. The attack that introduces biased errors into the voter’s interac- 
tion with the voting system i.s especially useful for attacking DRE w/WFI’ and 
PCOS systems where the paper record is printed or filled in by the voting 
machines being attacked, since the attacked behavdor, if detected, is indistin- 
guishable from user error. However, the attack program could improve its rate of 
successfully changed votes, and minimize its chances of detection, by choosing 
voters who are unlikely to check their paper records carefully. Thus, voters using 
assistive technology arc likely targets. 

ra TAMPERING WITH ELECTRONIC MEMORY AFTER THE FACT 

An alternative approach is to change votes in electronic memory after voting has 
ended for the day, but before the totals are displayed locally or sent to the coun- 
ty tally server. 

In this case, the attack program need only be activated after voting is complete. 



307 


SOFTWARE ATTACKS ON VOTING MACHINES 


This allows the attack program considerable flexibility, as it can decide whether 
to tamper with voles at all, based on totals in the machine. R»r instance, the 
Software Attack Program could be programmed to switch ten votes from Tom 
Jefferson to Johnny Adams, only if Johnny Adams has more than 90 votes on the 
machine. 

It can also allow the attack program to avoid getting caught during pre-election 
testing. By programming the attack program to activate only after voting has 
ceased on Election Day (and the program should be able to do this by accessing 
the voting machine’s internal dock), the attack program would elude all attempts 
to catch it through earlier testing. Similarly, by only tri^ering after, for instance, 
100 votes have been cast witliin twelve hours, the attack program can probably 
elude pre-election testing; most pre-election testing involves the casting of far 
fewer votes. See Appendix E. 

This type of attack must overcome some interesting operational difficulties; we do 
not believe that any of them are insurmountable with respect to any of the sys- 
tems we have reviewed: 

Some voting machines store electronic records in several locations; the attack 
program would have to change them all. 

f:'; The attack progiam must either (I) a\x>id learing entries of attack in the 
Event or Audit Lo^, or (2) create its own Audit Logs after the attack (how- 
ever, the necessity of doing either of these things is dependent upon how the 
machine logs its own actions: if the machine would show only that it accessed 
a file, these arc unlikely to be problems for the attack program; if each record 
altered yields a log entry, this requires tampering with the event log to avoid 
detection). 

Depending upon details of the file access required, the attack program may 
face some time constraints in making the desired number of changes. Given 
the fact that we have assumed no more than 7.5% of votes would be switched 
in any one polling place or 1.5% on any machine, this may not be a great 
problem. There is likely to be a reasonable span of time between the closing 
of polls and the display and transmission of results. 



308 


42 

Attacks instalied at certain 
points may not be subject 
to any inspertion. 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

ELUDING INDEPENDENT TESTING 
AUTHORITY INSPECTIONS » 

How does an attacker ensure that ant attack program she has inserted would not 
be caught by inspections'®* done at the vendor, or during an Independent Testing 
Authority inspection of software code? 

Part of the answer depends upon where the attack program is installed. Attacks 
installed at certain points (such as attacks written into vendor software code) are 
likely to be subject to multiple inspections; attacks installed at other points (such 
as attacks installed in COTS software, ballot definition files or replaceable media) 
may not be subject to any insjjection. 

m CREATE DIFFERENT HUMAN-READABLE AND BINARY CODE'®^ 

A clever attacker could defeat inspection in a number of ways. Before detailing 
how this would be accomplished, a brief conceptual introduction is necessary; 
To develop a program, a programmer writes human-readable source code. 
GeneraUy, before a computer can run this program, the source code must be con- 
verted into a binary code (made up of “0”s and “ 1 ”,s) that the computer can read. 
This conversion is accomplished by use of a compiler. Thus, (;ach program has 
two forms: the human-readable source code and the compiled binary code. 

A simple attack designed to elude inspection could be accomplished as follows: 
our attacker writes human-readable source code that contains an attack program 
(perhaps the program, among other things, instructs the machine to switch every 
25th vote for the Democratic-Republicans to the Federalists). The attacker then 
uses a compiler to create a similarly malicious binary code to be read by the com- 
puter. After the malicious binary code has been created, the attacker replaces the 
malicious human-readable source code with a harmless version. When the ven- 
dor and Independent Testing Authority inspect the human-readable source code, 
they would not be able to detect the attack (and the binary code would be mean- 
ingless to any human inspector). 

ms USE ATTACK COMPILER, LINKER. LOADER OR FIRMWARE 

An obvious way for an ITA to pre-empt tins attack would be to require vendors 
to provide the: human-readable source code, and to run the human-readable 
source code through the ITA’s compiler. T he ITA could then compare its com- 
piled version of the code with the compiled code provided by the vendor {i.e., did 
all the “0”s and “T’s in both versions of the code match up?). 

But what if, instead of inserting the attack into the vendor’s source code, our 
attacker inserted an attack into the compiler (which is generally a standard soft- 
ware program created by a non-wting system software vendor)? Under these cir- 
cumstances, the compiler could take harmless human-readable source code and 



309 


SOFTWARE ATTACKS ON VOTING MACHINES 


43 


turn it into malicious binary code without any inspector being the wiser. As a 
compiler is generally COTS software, it would not be in^cted by the ITAs. 

In any event, the attacker could hide the attack program in the compiler by 
adding one level of complexity to her attack: make the compiler misread not only 
the seemingly innocuous vendor source code (which would be converted into 
malicious binary code), but also the seemingly innocuous compiler source code 
(which would also be converted into malicious binary code, for the purpose of 
misreading the vendor source code). In other words, the attacker can hide the 
attack program in the same way that she might hide an attack program in other 
software: change the human-readable compiler source code so that it does not 
reveal the attack. When the compiler “compiles itselT* {ie., turning the human- 
readable source code for the compiler into computer readable binary code) it cre- 
ates a binary code that is malicious, but cannot be detected by human inspectors. 

The compiler is not our attacker’s only opportunity to convert innocuous human- 
readable source code into an attack program. What is knowm as a “linker” links 
the various binary code programs together so that the voting machine can func- 
tion as a single system. Here again, the linker can be used to modify the binary 
code so that it functions as an attack program. 

Additionally, the attacker can use the “loader,” the program on each voting 
machine’s operating system that loads software from the disk drive onto the 
machine’s main memory, to alter code for a malicious purpose.’®* 

Finally, if our attacker is a programmer employed at the vendor, she can create 
or alter firmware'®'^ that is embedded in the voting machines’ motherboard, disk 
drives, video card or other device controllers to alter seemingly harmless code to 
create a malicious program. like COTS software, firmware is not subject to ITA 
inspection. 


SI AVOIDING INSPECTION ALTOGETHER 

An attacker could iilso insert her program in places not subject to inspection. 

As already noted, the current Voluntary Voting Systems Guidelines exempts 
unaltered COTS software from testing, and original COTS code is not currently 
inspected by the ITAs.’®'’ This make.s it more difficult to catch subtle bugs in either 
COTS software that is part of the original voting system, or COTS software 
patches and updates (assuming that new testing is done when such patches and 
updates are required). 

Moreover, attacks inserted through ballot definition, wireless communication, 
or through device input {ie., memory cards, printers, audibility files) would occur 
after the machine has been tested by the ITA and would thus avoid such testing 
altogether. 



310 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Moreover, we hav’e serious concerns about the ability of current Independent 
Testing Authority inspections and tests to catch even Software Attack Programs 
and bugs in original voting systems software. While ITA tests may filter out obvi- 
ous attack behavior, intentional, subtle bugs or subtle attack behavior {e.g., trig- 
gering the attack behavior only after complicated interaction with a user unlike- 
ly to be replicated in a testing lab, or only when the clock tells the Attack Program 
that it is Election Day) may remain unnoticed in the testing lab review. As noted 
in the GAO report, these and other concerns about relying on Il’A testing have 
been echoed by many security and testing experts, including ITA officials.**^' 

» AVOIDING DETECTION DURING TESTING 

Even alter an attack program has been successfully installed and passed inspec- 
tion, it would still need to get through t(;sting. Tampered software must avoid 
detection during testing by vendors, testing authorities and election officials. With 
the exception of Parallel Testing (which is regularly performed statewide only in 
California, Maryland, Washington), all of this testing is done prior to voting on 
Election Day.***® 

There are a number of techniques that could be used to ensure that testing does 
not detect the attack program. 

ss The attack program could note the time and date on the voting machine’s 
clock, and only trigger when the time and dale are consistent with an elec- 
tion. This method could, by itself, prevent detection during vendor testing, 
Logic and Accuracy Testing and Acceptance Testing, but not during Parallel 
Testing. 

The attack program could observe behavior that is consistent with a test {as 
opposed to actual voter behavior), For example, if Logic and Accuracy 
Testing is known never to take more than four hours, the attack program 
could wait until the seventh hour lo trigger. (Note that the attack becomes 
more difticult if the protocol for testing varies from election lo election). 

ss The attack program could activate only when it receives some communica- 
tion from the attacker or her confederates. For example, some specific pattern 
of interaction, a Cryptic Knock, between the voter or election official and the 
voting machine may be used to trigger the attack behavior. 

^ AVOIDING DETECTION 

AFTER THE POLLS HAVE CLOSED 

In many cases, the most effective way to tamper with an election without detection 
would be to change votes that have actually been ca.st; this way, there would be no 
unusual discrepancy betv\'een the poll books (which record the number of voters 
who sign in) and vote totals reported by the machines.'**® In the case of a DRE 



311 


SOFTWARE ATTACKS ON VOTING MACHINES 


system, dianging votes electronically changes aD official recorcb of the voter’s 
choice, so this kind of attack cannot be directly detected by comparing the elec- 
tronic totals with other records. In the case of other voting systems, sudi as DRE 
w/\^'^PT or PCOS, the attacker must also tamper with the pafter records, or pre- 
vent their being cross-chccked against the electronic records, assuming that there is 
some policy in place that requires jterisdictions to check paper records c^fdnst die eUctrordc totals. 

mm DECIDING HOW MANY VOTES TO CHANGE 

An attack could be detected if there were a very strong discrepancy' between 
informal numbers (polling data, or official results in comparable precincts or 
counties) and reported election results. There are at lea^ a couple of ways that 
an attack program could minimize suspicion from this kind of evidence: 

M Where possible, the attack program on the voting machines would change a 
fixed portion of the votes (for instance, in the attack scenarios we have devel- 
oped, we have assumed that no more than 7.5% of wtes in any single polling 
place would be switched), rather than simply reporting a pre-ordained result. 
This avoids the situation where, for instance, a recendy indicted candidate 
mysteriously wins a few precincts by large niai^ns, while losing badly in all 
others, raising suspicion that there was an attack. It also prevents a situation 
where a candidate wins 80-90% of the vote in one polling place, while los- 
ing badly in all other demographically similar polling places. 

The attack program might also detect when the tampering is hopeless {e.g., 
when the election appears so one-sided that the benefit of improving the 
favored candidate’s outcome is outweighed by the cost of increased chance of 
detection from implausible results). In that case, it would refrain from any 
tampering at all, since this would risk detection without any corresponding 
chance of succes.s. 

m AVOIDING EVENT AND AUDIT LOGS 

Tampered softw'are must not leave telltale signs of the attack in any Event or 
Audit Logs.' There are a number of ways the attack program could accomplish 
this goal, depending upon the nature of the attack program and the software it 
targets: 

S! Tampered user-interface software could display the wTong information to the 
voter (meaning the voter believes his vote has been recorded accurately), 
while recording the attack program choice in all other system ev'ents. In this 
case, there would be no trace of the attack in the event log.'" 

™? Tampered Driver software for stora^^ devices or tampered BIOS' could 
alter what is written to the storage devices. 


In the case of a DRE system, 
changing votes electronically 
changes all official records of 
the voter's choice, so this kind 
of attack cannot be directly 
detected by comparing the 
electronic totals with other 
records. 


BIOS ("basic inputJoutput system") 
is the built-in software that 
determines what a computer 
can do without accessing programs 
from a disk. 



312 


46 THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

A tampered operating sj^tcm or other high-privilege-level software could 
tamf^r with the logs after entries are made, avoiding record of such an attack 
in the lo^"^ 

^ A tampered operating system or other software could provide a different log 
to the outside world than the one stored internally, if the log is not stored on 
removable media. 

COORDINATING WITH PAPER RECORD ATTACKS”^ 

When the attacker must also temper witli paper records in the case of PCOS 

and DRE w/WPT systems), she would likely need to prepare replacement 

paper recoids before the voting is completed."^ 

This coordination task could be solved in a number of ways: 

'’i The attacker could wait until the election is over, and then print the replace- 
ment paper records. This raises some logistical problems for the attacker, 
such as how' to find out what the electronic records show, and print enough 
paper records once this information is learned and replace the paper. 

If the attacker is in contact with the voting machine during the voting 
process — for example over a wireless network or via an exposed infrared 
port - the attacker could print replacement paper records as the tampered 
records are produced on the voting machine. 

Si The attack program could have a predefined sequence of votes, which it pro- 
duces electronically and which the attacker can print at any time. 

^ The attacker could communicate with the voting macliine after voting has 
ended but before the votes have been displayed to poll workers or sent to the 
tabulation center. In this case, the attacker could tell the voting machine what 
totals to report and store. This could be done remotely (via wireless or 
exposed infrared port) or through some form of direct interaction with the 
machine (this would obviously require many conspirators if multiple 
machine.s were involved). 

In all cases, the attacker would have the additional problem of replacing the 

original records with her created paper records. We discuss this issue infra pp. 

71 - 75 ."® 



313 


SOFTWARE ATTACKS ON VOTING MACHINES 47 

s CONCLUSIONS 

Planting a Trojan Horse or otlier Software Attack Program, tfaou^ operational- 
ly challenging, is something that a sophisticated attacker could do. An attacker 
could take advantage of several points of vulnerability to insert corrupt software. 

Many of these points of vulnerability are currently outside the testing and inspeo 
tion regimen for voting systems. In any event, -we are not confident that testing 
and inspection would find corrupt software even when that software is directly 
tested and inspected by an ITA. 

Our attacker - who aims to move roughly 52,0(K) votes from the Democratic- 
Republicans to the Federalists in the gubernatorial race in Pennasota - need not 
know much about the particulars of the election or about local ballots to create 
an effective attack program, and thus could create her attack program at almost 
any time. To the extent she is concerned about the names of the candidates or 
particulars of local ballots, however, she could parameterize her attack by, for 
instance, inserting instructions into the ballot definition files or sending instruc- 
tions over a wireless component, when she would have all the information she 
could want about local ballots. 

There are a number of steps - such as inspecting machines to make sure that all 
wireless capabilities are disabled - that juri^iedons can take to make software 
attacks more difficult. Ultimately, however, diis is a type of attack that should be 
taken seriously. 



314 


48 

A software attack allows a 
single knowledgeable person 
(or, in some cases, small group 
of people) to reach hundreds 
Of thousands of machines. 


LEAST DIFFICULT ATTACKS 
APPLIED AGAINST EACH SYSTEM 

As already discussed, in a close statewide election like the Pcnnasota governor’s 
election, “retail” attacks, or atttuks on individual polling places, would not likely 
affect enough votes to change the outcome. By contrast, the less difficult attacks 
are centralized attacks: these would occur against the entire voting system and 
allow an attacker to target many votes with few' informed participants. 

Least difficult among these less difficult attacks would be attacks that use 
Software Attack Programs. The reason is relatively straightforward: a software 
attack allow's a single knowledgeable person (or, in some cases, small group of 
people) to reach hundreds or thousands of machines. For instance, softw’are 
updates and patches are often sent to jurisdictions throughout a state.’^^ 
Similarly, replaceable media such as memory cards and ballot definition files are 
generally programmed at the county level (or at the vendor) and sent to every 
polling place in the county. 

These attacks have other benefits: unlike retail denial-of-service attacks, or man- 
ual shut off of machine functions, they could provide an attacker’s favored can- 
didate w-ith a relatively certain benefit (ie., addition of x number of votes per 
machine attacked). And if installed in a clever way, these attacks have a good 
chance of eluding the standard inspection and testing regimens currently in 
place. 

Below, wc look at examples of these least difficult attacks against each system: 
how they would work, how many informed participants would be needed, how 
they might avoid detection, and how they could swing a statewide election. In 
addition, we evaluate the effectiveness of each of the three sets of countermea- 
sures against them. 

!is ATTACKS AGAINST DRES WITHOUT VVPT 

The Task Force has identified over thirty-five (35) potential attacks against DREs 
without All of the least difficult attacks against DREs without 

involve inserting Softtvare Attack Programs into the DREs. In this section, w-e will 
examine an example of this least difficult attack and how' much more “expensive” 
such attacks are made by the “Basic Set” and “Parallel Testing Set” of counter- 
measures. We cannot examine tke ‘jiutomc^ Routine Audit Set” of countermeasures against 
iiiese attacks, because DREs do not have a voter-verified paper trail to allow auditing to occur. 


We are also particularly concerned about attacks that are made easier by use of 
wireless networks. This set of attacks will bo examined here under “Prevention of 
Wireless Communications,” vfra pp. 85-86. 



315 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


49 


REPRESENTATIVE "LEAST DIFFICULT" ATTACK: 

TROJAN HORSE INSERTED INTO OPERATING SYSTEM 
(DRE ATTACK NUMBER 4) 

As already discussed, there are several potential p>omts of entry for a Software 
Attack Program. We could have chosen any number of Software Attack 
Programs in our DRE Attack Catalog. We have chosen Attack Number 4, 
“Trojan Florse Inserted into Operating Sy'stem,” because it is representative of 
these attacks and easy to explain. 

As already discussed, a “Trojan Horse” is a type of Software Attack Program that 
masquerades as a benign program component. Unlike viruses, Trojan Horses do 
not replicate themselves. 

mwm DESCRIPTION OF POTENTIAL ATTACK 

Here is how this representative attack works: 

^ A third-party software company supplies a publicly available operating sys- 
tem for DREs.'^ 

® As already noted, the Trojan Horse could be inserted by any number of peo- 
ple: a programmer working for the voting system vendor, the operating sys- 
tem vendor, or an employee of a company that conti acts with the software 
company that creates the operating software.’^' The Trojan Horse could also 
be inserted in an operating system update or patch that would be inserted on 
any voting machine that ran on this operating system.’”’^ 

Si The attacker could change the human-readable source code for the operat- 
ing system, to ensure that anyone who decided to inspect the code would not 
find the Trojan Horse. In any event, the operating system is COTS software, 
so it is unlikely to be reviewed by the vendor, or inspected by the ITA. 

The Trojan Horse is coordinated with the voting machine’s internal clock 
and set to activate after ITA, Acceptance, and Logic and Accuracy Testuig 
are complete {e.g, the first Tuesday after the first Monday in November 2007, 
after 1 1 a.m.). This would prevent any detection during such testing. 

Si Among the many ways a Trojan Horse could ensure the misrccording of 
votes, it could: 

iS Detect when a ballot is displayed, and reverse the order of the first two 
entries on the screen (so if the order should be, for example, Johnny 
Adams and Tom Jefferson, the displayed order is Tom Jefferson and 
Johnny Adams). In this scenario, the Trojan Horse would also check for 
the names on the review screen, and if either of the two naunes appeared, 
the other would be substituted and recorded. 



316 


50 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


J Alter votes in the electronic memory at the end of a full day of voting. 
This might be slightly more complicated, as it c:ould require the Trojan 
Hone to ch^ge the electronic records in the many locations where vote 
totals are stored and avoid leaving entries in the Event and Audit Logs, 
or create new logs. 

:s Display information as the DRE is intended to {Le., ballot positions are 
not reversed and verification screens let voters believe their choices have 
been accurately recorded), but record the Trojan Horse’s choke in all 
other system events. 

s The Trojan Horse attempt to ensure that no one would discover what it 

has done after the election is over, even if tliere are suspicions that machines 

were attacked: 

3 It could tamper with the Event and Audit logs after the attack is com- 
plete, preventing the creation of a record of such an attack in the logs. 

'J It could create and provide a new log to the outside world, different than 
that stored internally. 

•fl It could avoid the Event and Audit Logs altogether, by displaying the 
wrong information to the voter {i.e., allowing the voter to believe his vote 
has been recorded correctly), while recording the Attack Program’s 
choice in all other system events. 

We estimate that with clever enough attackers, this attack could successfully be 
completed with just one person; this attack involves only one step: design and 
insertion of the Trojan Horse. Obviously, it would be important for the design- 
er of the Trojan Horse to understand the workings of the DRE she seeks to 
attack.'^^ But once the Trojan Horse was successfully inserted, it would not 
require any further uwoivement or informed participants. 

HOW THE ATTACK COUID SWING STATEWIDE ELECTION 

In the race for governor of Pennasota, 3,459,379 votes would be cast, and the 
election would be decided by 80,257 votes (or 2.32%). We assume that the attack- 
er would want to leave herself some margin of error, and therefore aim to (1) add 
103,781 votes (or 3%) to Johnny Adams’s total (or subtract the same from Tom 
Jefferson) or (2) switch 51,891 votes from Ibm Jefferson to Johnny Adams. 

we assume that each DRE would record roughly 1 25 votes, we calculate tliat 
Pennasota would have approximately 27,675 DREs.'*^ This w'ould require the 
Software Attack Program to switch fewer than 2 votes per machine to change the out- 
come of this election and do so with a comfortable margin of victoiy.*'® 



317 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


51 


SiW EFFECT OF BASIC SET OF COUNTERMEASURES 

The Basic Set of Countermeasures that apply to DRE^ without WPT are as 
follows: 

The model of DRE used in Pennasota has passed all relevTint ITA inspec- 
tions. 

Before and after Election Day, machines for each county are locked in a sin- 
gle room. 

¥. Some form of tamper-evident seals are placed on machines before and after 
each election. 

Si' 'Die machines are transported to polling locations five to fifteen days before 
Election Day. 

ss Acceptance Testing is performed by every county at the time the machines 
are delivered from the vendor. 

Logic and Accuracy Testing is performed immediately prior to each election 
by the County Clerk. 

At the end of Election Day, vote tallies for each machine are totaled and com- 
pared with the number of persons who have signed the poll books. 

A copy of totals for each machine is posted at each polling place on election 
night and taken home by poll workers to check against what is posted pub- 
licly at election headquarters, on the web, in the papers, or elsewhere. 

Given the .small number of votes changed per machine, we do not believe that 
the altered machine totals alone would alert election officials or the public to the 
fact that election results had been changed. 

As already explained, supra pp. 42-44, there is a good chance that the ITA (and, 
for that matter, the vendor) would not find the attack during its inspection of the 
code. First, the attacker could erase the Trojan Horse from the human-readable 
source code, on the chance that an inspector might review the operating system’s 
source code carefully. In this case, only a careful forensic anal^-sis of the machine 
could find the Irojan Horse. Second, because the operating system is COTS 
code, it is unlikely that the code for the operating system (and its updates and 
patches) would be inspected at all.*^ Third, if the Trojan Horse is part of an 
operating system update or patch, it may never even enter an ITA The model 
would have already passed inspection; it is unlikely that local jurisdictions or the 
vendor would ask the ITA to conduct an entirely new test and inspection with a 
model that has the COTS patch or update installed. 



318 


52 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Once the Trojan Horse was inserted, the physical security detailed in the Basic 
Set of Countermeasures would not be of any benefit. 

Finally, the testing done in this set of countermeasures would not catch the attack. 
The Trojan Horse, by waiting until 1 1 a.m. on Election Day, would ensure that 
all testing is complete. Postii^ election night results at the poDing place would not 
help either; these results would match county election totals. Unfortunately, nei- 
ther set of numbers would match actual v'oter choice. 

Based on this analysis, we have concluded that the Basic Set of Countermeasures 
would not require our attacker to add any more informed participants to com- 
plete her attack successfully. 

mm EFFECT OF REGIMEN FOR PARALLEL TESTING 

As already discussed, the Regimen for Parallel Testing involves selecting voting 
machines at random and testing them as realistically as possible during the peri- 
od that wtes are being cast. The object of this testing is to find any bug (whether 
delibtirately or accidentally installed) that might be buried in the voting machine 
software and which could affect the ability of the voting machines to record 
votes accurately. Unlike other pre-election testing which is almost always done 
using a special “test mode” in the voting system, and thus might be subverted by 
a clever attacker relatively easily Parallel Testing attempts to give no cJues to the 
machine that it is being tested. Professional testers cast votes generated by a 
script for the full Election Day (this would allow the testers to find an attack that 
triggei^, for example, after 1 1 a.m. on Election Day). If Parallel Testing is done 
as we suggest, these cast votes would simultaneously be recorded by a video cam- 
era. At the end of the day, election officials reconcile the votes cast on the test- 
ed machine with the results recorded by the machine. The video camera is a cru- 
cial clement in the Regimen for Parallel Testing, because it allows officials to 
ensure that a contradiction between the machine record and the script is not the 
result of tester error. 

The Trojan Horse attack is one of the attacks that f^allei Testing is intended to 
catch. There should be no question that if properly implemented. Parallel 
Testing would make a Trojan Horse attack more difficult. 

But how much more difficult, and in what way? In the following subsections, we 
assess the ways an attacker might subvert ParaEel Testing and how difficult this 
subversion would be: this includes a review of the ways in which Parallel "I'esting 
may force an attacker to impest more time, money and technical sawy to imple- 
ment a least difficult attack like DRE Attack Number 4 successfully. It also 
includes an assessment of the number of additional informed participants that 
would be needed to implement this attack when the Regimen for Parallel Testing 
Plus Basic Set of Countermeasures is in place. 



319 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


53 


Wc have identified two ways that an attacker might be able to subvert Parallel 
lesling, and thus still successfully implement DRE Attack Number 4. They are: 

1 . infiltrate the ParaOel Testing teams; and 

2. create an Attack Program that can recognize when it is being Parallel Tested 
and knows to shut off under such circumstances. 

As discussed in further detail below, in certain a^enarios, an attacker could com- 
bine these two methods to subvert Parallel Testing, 


A state does not have to test 
a particularly large number of 
machines for Parallel Testing 
to catch a Trojan Horse that 
has been inserted for the 
purpose of changing the 
outcome of a statewide 
election. 


InJEUtratiiig the Parallel Testmg Teams 

Subverting Parallel Testing by simply infiltrating the Parallel Testing team would 
be extremely difficult. To have a reasonable chance of defeating Parallel Testing 
this way, the attacker would have to add approximately 1 00 informed participants 
to her conspiracy.’” 

As detailed in Appendix a state does not hav^ to test a particularly large num- 
ber of machines for Parallel Testing to catch a IVojan Horse that has been insert- 
ed for the purpose of changing the outcome of a statewide election. Assuming 
that 5% of all machines were attacked (and in Pennasota, we have determined 
that more than 7% would need to be attacked to swing a statewide election), 
we calculate that it would be necessary to test only 58 machines to have a 95% 
chance of testing a machine that has aTrojan Horse.'^’ As a reminder, under the 
Regimen for Parallel Testing Plus Basic Set of Countermeasures, every testing 
team would have a tester and observer. 

If the attacker managed to infiltrate half of the teams of testers and observers 
and make them part of the attack conspiracy (for a total of 58 additional fully 
informed participants), there would still be a greater than 75% chance that 
uncorrupted parallel tCvSters would test a machine that contained a Trojan 

To reduce the odds substantially, so that there would be just a 10% chance that 
Parallel Testmg would catch the Trojan Horse, the attacker would need to involve 
ai! but two teams of testers (meaning she would need to involve over 1 00 parallel 
testers and observers in the conspiracy).’^^ 


Creating an Attack That Recognizes Testmg 

Rather than subvert Parallel Testing by infiltrating the Parallel Testing teams 
alone, an attacker's best bet would be to design an attack program that is capable 
of recognizing when it is being tested. How might a tampered program detect 
that a machine is being used by parallel testers, rather than by regular voters? 



320 


54 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


T here are a number of jjossibUities: 

1 . Warning the Trojan Horse. Someone on the attack team may communicate 
with the Trojan Horse, for example by using a wireless data channel to deac* 
tivate the attack t^havior when Parallel Tt^sting is being conducted in a polling 
place, or to activ^e it when there is no ParaOel Testing being conducted. 

2. Detecting the Test Environment. The Trojan Horse may determine that the 
machine is being parallel tested by looking at details of uiteractions between 
the machine and the “voters” or the larger voting system. For instance, many 
machines require the insertion of a smartcard or memory token before they 
would record any vxrtes. Usually; there are several tokens in one polling place, 
and any one of them can be used on any machine. This means that most 
machines would have to scan a number of tokens during an Election Day. A 
Trojan Horse might be able to detect that a machine is being parallel tested 
if the same smartcard or memory token is inserted in that same machine all 
day.'^ 

3. Recognizing Vote Patterns. The Trojan Horse may determine that the 
machine is being parallel tested by looking at the pattern of votes cast. For 
example, if Parallel Testing is done with randomly selected votes on each bal-' 
lot position, the attack program may quickly notice tliat the Green and 
Libertarian candidates are getting about as many votes as the Republican 
and Democrat. 

4. Recognizing Usage Patterns. The Trojan Horse may determine that the 
machine is being parallel tested by looking at usage patterns such as number 
of votes, speed of voting, lime between voters, commonness of unusual 
requests like alternative languages or assistive technology, etc. For example, if 
Parallel Testing is always done for exactly 1 00 votes, the attack program may 
simply leave the vote totals unchanged when it gets exactly 100 votes.''^'’ At 
the 101st vote, the Trojan Horse knows it is safe to activate, and can switch 
vote totals at that point. 

The first two of these are lately solvable by technical measures, the second two 
are impo^ible to solve in principle; they lead to a kind of arms race between 
attackers and defenders, and it is unclear where the ultimate advantage would lie. 

Warning the Trojan Horse 

There are many ways for attackers to (1) warn a Trojan Horse that its machine is 
being parallel tested, so that the Trojan Horse suppresses any attack behavior, or (2) 
activate Trcgan Horses only on madiines the attackers know are not being tested. 

First, parallel testers, voters or poll workers could manually “tel!” machines 
w'hether they were being tested. The attackers could: 



321 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


55 


? Send voters to each machine to be used in the attack with some kind of 
Cryptic Knock such as a voting pattern extremely unlikely to occur in the 
Parallel Testing. 

There are problems v^ath this attack: voters sent to these machines need not 
be fully informed about the attack; however, since they know the Cryptic 
Knock, they could inform the authorities about what they have been told 
to do, and thus could allow parallel testers to detect the attack. Also, this strat- 
egy would require involving over 1,000 registered voters if this attack is 
expected to swing the governor’s race in Pennasota.’^ 

Have election officials turn on each machine for voting using some Cryptic 
Knock to activate the attack program. 

This still requires a great many insiders in the attack team, since some elec- 
tion official or poll worker must do this for each machine to be activated. We 
have estimated that a minimum of 606 polling stations would need to be 
attacked in our state to swing an election, so this would involve the partici- 
pation of 606 poliworkers.'^^ 

I?; Have parallel testers warn machine being tested with a Cryptic Knock. 
Because it would only take a single tester to warn the machine (and because 
the Cryptic Knock could be an innocuous action, like tapping the screen 
three times in the upper left hand corner), it would be unnecessary to subvert 
the entire team; instead it would only be necessary to subvert one team mem- 
ber per testing team, for a total of 58 testers. 

In some circumstances, attackers could also warn the machines remotely: 

If the voting machine is capable of receiving wireless data transmissions, 
over a wireless network or through an infrared port, then a single member of 
the attack team with a wireless-enabled PDA could activate or deactivate an 
entire polling place full of machines’ attack programs, after verifying that no 
Parallel lesting is being done nearby. Thus, in jurisdictions that use machines 
capable of receiving wireless transmissions, an attack with enough fbresi^t 
and technical skills could subvert Parallel Testing by increasing her attack 
team .size by a relatively small number (and none of these attackers would 
need to be insiders).'^® 

If the voting machine is networked with other voting machines, and the 
attack program is installed in all of them, then a voter or election official need 
only use her Cryptic Knock once per jx)lling place to enable or disable tl\e 
attack program on all connected machines. 

If the voting machine is connected over some network to a central server, an 
attacker could issue a centralized warning telling compromised machines at 
polling places that would be receiving Parallel Testing teams not to trigger 



322 


56 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS iN AN ELECTRONIC WORLD 


By removing any wireless 
channel by which voting 
machines can receive 
commands, the designer 
of a voting system can 
make Parallel Testing 
much more effective. 


their attack behavior This would require the attacker to (1) learn where 
ParaDel Testir^ was occurring, and (2) find a method for infiltrating the net- 
work. Given the fact that jurisdictions in California are told which polling 
place would be tested at least a month in advance, it is plausible to imagine 
that this attack (against machines connected by a network to central servers) 
could be successful without dramatically increasing attack team size. 

This discussion demonstrates the importance of closing machines off to remote 
communications: by removing any wireless channel by which voting machines 
can receive commands, the designer of a voting system can make Parallel Testing 
much more effectiw. Similarly the effectiveness of Parallel Testing can be 
improved if the machines are never connected to one another during voting. 
Ideally, a voting machine would be completely isolated during the election and 
would print out or otherwise display its totals before being connected to any cen* 
tial server to send in its tallies. 

Detecting the Test Environment 

The voting machine operates in a certain environment in terms of its inputs and 
outputs. Some aspects of this environment may yield clues that it is being tested, 
rather than used in a normal election. For example: 

If the machine Ls treated in some different way when being activated for test- 
ing rather titan normal voting, this is an easy thing to detect. For example, if 
a machine has its usual memory card replaced just before Parallel Testing, 
but it does not under normal circum-stances, the attack program could use 
this to determine that it is being tested. 

Many machines require entry of authorization codes, memory tokens, or 
smart cards before a vote can be cast. If the same memory token /smartcard 
is presented many times, or if sequentially issued authorization codes are 
used for the voting machine, this could indicate testing. 

An attacker^s knowledge of these idioymerasies in the testing process could allow her to defeat 
Parallel Testing without increasing the attack team size. As long as there is something 
detectable by the machine that alivays occurs in Parallel Testing, the attacker 
should be able to defeat it. Take, for example, the situation where authorization 
codes are entered in tested machines sequentially. If the attacker knows that this 
always occun in Parallel 'Festing. she simply instructs the Trojan Horse to shut off 
in the event that the first five authorization codes are entered sequentially. The 
testers would see no evidence that a Trojan Horse has been inserted into the 
machine. 

lb the furthest extent possible, the voting machine would be designed so that 
Parallel Testing would look no different from normal voting to the machine. 
More importantly the precise techniques used for Parallel Testing {e.g., exactly 



323 


LEAST OJFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


57 


how and when the machine is activated, how activ^on codes/smart cards/ etc. 
are produced to allow voting, etc) should not be fully determined or revealed until 
immediately before the election. For Parallel Testing to be most effective, details 
of how Parallel Testing is conducted would change from election to election. 

Recognizing Voting Patterns 

Parallel Testing means voting on the machine to verify that it is accurately col- 
lecting votes. However, some voting patterns are more likely to occur than others, 
and some voting patterns are almost certainly artificial. If a Trojan Horse recog- 
nizes a voting pattern as artificial, it can shut off and defeat Parallel Testing. 

There are at least three wa^'S for an attacker to exploit this vulnerability: 

S; The attacker could help write the Parallel Testing script, or have some power 
over it. She could use this to ensure that its outputs are always detected by die 
attack program. For example, the attaeJeer could des^ the Parallel Testing 
script to undervote the first race on the 40th and 50th ballots cast; the attack 
program would notice this and refrain from any attack behavior when it hap- 
pens.'^'^ 

The attacker could analyze the program or process used to generate the 
scripts {sequence of votes) used for Parallel Testing and find a way to detect 
these scripts. For example, if the Parallel Testing program always generates a 
script where the first vote is one for a Federalist, the attack program might 
only trigger where the first vote is for a non-Federaiist candidate. 

The attacker could analyze the statistical pattern of actual ballots cast in the 
state or county she is attacking, and attempt to design her program to catch 
suspicious patterns. This invoivc.s a kind of arms race between the attacker 
and the designer of Parallel Testing scripts. It also involves a huge incrca.se in 
the sophistication of the attack program. 

An important lesson from this analysis is that to make Parallel Testing more effec- 
tive, the Parallel Testing scripts need to be generated in a way that Is not complete- 
ly under any one pereon’s control. The program used to generate Parallel Testing 
scripts would be kept secret until the day of the election; afterward, it would be fully 
specified, along with the random number generator seed used to produce the 
scripts, so that everyone can see that the scripts were generated in a sensible way 
and according to the program. It is important to design the Parallel Testing scripts 
so that they do not deviate in obvious way’s from real voting patterns: that is, to be 
most effective, the scripts would include occasional third-party vt)tes, undervotes, 
straight-ticket votes and would broadly track likely voting patterns. 

If an attacker can develop a Trojan Horse that can separate real voting patterns 
from Parallel Testing patterns, she can subvert Parallel Testing without increasing 
her attack team size. On the other hand, it is important to recognize the differ- 



324 


58 

Good Parallel Testing 
should make a successful 
Software Attack Program 
significantly more complex 
to execute successfully. 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


ence between a theoretical difference in voting patterns and on«‘ that is useful to 
an attack program. The attadc program must run on voting machines in a wide 
variety of polling places with a wide variety of voting patterns. Refusing to acti- 
vate the attack behavior for too many voting patterns would leave the attack pro- 
gram unable to operate, and the attacker has a daunting data analysis problem to 
solve before she can determine how to write her attack program. 

Recognizing Usage Patterns 

Finally, the attack program may recognize usage patterns from the parallel testers 
that differ in important ways from those of real voters. For example: 

® Rarallel testers are likely to vote much more quickly and efficiently than most 
voters, espedaliy after having cast many previous votes. 

^ A team of one or two parallel testers using the machine would not vary much 
in their usage pattern; that is, there would not be a fast, efficient voter fol- 
lowed by a rather slow one as one would expect to see in a real election. 

Parallel testers are likely to have very different patterns of errors {eg, attempt- 
ed overvoles, underv'otes which they return to and correct) than normal vot- 
ers, especially after casting many voles. 

fes Parallel testers may take less time between casting ballots than normal voters; 
in a real election, the pattern of voters coming to vote would vary during the 
day. 

ss Unless instructed to do so by the script, most parallel testers are not likely to 
use assistive technology or alternative languages. On the other hand, if 
Parallel Testing scripts always include at least one use of each alternative lan- 
guage, this is likely to allow the attack program to determine that it is being 
tested. 

One lesson from this analysis is that, to be most effective, the Parallel Testing 
script should include details like how quickly or slowly to vote, when to make 
“errors,” and perhaps even when to cast each vote.^'^ 

More generally, our review of Parallel Testing leads us to conclude that good 
Parallel Testing should make a successful Software Attack Program significantly 
more complex to execute successfully In terms of forcing our attacker to add 
additional informed participants to her attack, it might only require the addition 
of one to three people. This could be someone in control of writing, or with 
access to, Parallel Testing scripts. If such persons worked in conjunction with the 
designer of the Trojan Horse, they would have a good chance of subverting 
Parallel Testing Similarly, conspirators with excellent knowledge of Parallel 
Testing procedures and practices could assist in the development of a Trojan 
Horse that could shut off when testing was delected. 



325 


LEAST DiFFtCULT ATTACKS APPLIED AGAINST EACH SYSTEM 59 

TAKING ACTION WHEN PARALLEL TESTING FINDS DISCREPANCIES 

Parallel Testing provides another problem: what h^^ns when the electronic 
results reported by the machine do not match die script? In California, the 
process is relatively straightforward; a videotape of the testing is reviewed. The 
testers and Parallel Testing project manager examine the tape to determine 
whether human error where the tester has accidentally dive^ed from the 
script) Is the cause of the discrepancy.’"^' 

If human error cannot explain the discrepancy, the Secretary of Stye’s office 
impounds the machine and attempts to determine the source of the problem. 

Beyond this, even California does not appear to have a clear protocol in place. 

We have concluded that evtm if Parallel Testing reveals evidence of software bugs 
and/or attack program.s on a voting machine, this countermeasure itself will be 
of questionable value unless jurisdictions have in place and adhere to effective 
policies and procedures for investigating such evidence, and taking remedial 
action where appropriate. Detection of fraud without an appropriate response 
will not prevent attacks from succeeding. We offer an example of prcx:edures that 
could allow jurisdictions to respond effectiv^y to detection of bugs or software 
programs in Appendix M. 

Adhering to such procedures when discrepancies are discov’ered during Parallel 
Testing is of the utmost importance. The misrecording of a single vote during 
Parallel Testing could indicate much wider problems.'^^ Our analysis shows that 
Parallel Testing is a meaningful countermeasure only if there is a clear commit- 
ment to following investigative and remedial procedures when problems are dLs- 
covered. 


w CONCLUSIONS AND OBSERVATIONS 

Conclusions fiom the Representative Least Difficult Attack 

With the Basic Set of Countermeasures in place, a minimum of one informed 
participant will be needed to successfully execute DRE Attack Number 4 (Trojan 
Horse Inserted Into Operating System) and change the result of the Ptnnasoia 
governor’s race. 

With the Regimen for Parallel Testing Plus Basic Set of Countermeasures, DRE 
Attack Number 4 becomes more difficult. The attacker will need at least 2 to 4 
informed participants to successfully execute DRE Attack Number 4 and 
change the result of the Pennasota governor’s race. 

We are unable to examine w'hcthcr the Regimen for Automatic Routine Audit 
Plus Basic Set of Countermeasures would make DRE Attack Number 4 more dif- 
ficult because DREs do not have a voter-verified paper trail. 



326 


60 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Conclusions about Trt^an Horn and other Sofiware Attack Programs 

The TrojaiJ Horse and other corrupt softwiire: attacks are extremely danger- 
ous because they require very few (if any) co-conspirators and can affect 
enough votes to change the outcome of a statewide race. 

The Basic Set of Countermeasures currendy used in many jurisdictions is not 
likely to catch a clet'er Trojan Horse or other Software Attack Program. 

Conclusions about the Potential Effectiveness of Parallel Testing 

^ Parallel Testing, if conducted properly, will force an attacker who employs a 
Software Attack Program to spend much more time preparing her attack, 
and gaining significant knowledge before she can execute a successful attack. 

Parallel Testing creates a kind of arms race between attackers and defenders: 
as Parallel Testing becomes more sophisticated, the attacker must become 
mor(^ sophisticated; as the attacker becomes more sophisticated, Parallel 
Testing must come up with new ways to trip her up. The single biggest prob- 
lem vdth Parallel Testing is that, given the potential resources and motivation 
of an attacker, it is ultimately unclear whether the fmal advantage would lie 
with the testers or the attacker. Moreover, because Parallel Testing does not 
create an independent record of voters’ choices, there is no reliable way to 
know whether an attack has successfully defeated Parallel Testing. 

® Parallel Tesdng would not necessarily require an attacker to involve signifi- 
cantly more co-conspirators to employ her attack successfully. We have envi- 
sioned scenarios where the attacker could involve as few as one to three addi- 
tional conspirators to circumvent Parallel Testing. Because of the “arms 
race” created by Parallel Testing, it is extremely difficult to assign a minimum 
number of attackers that might be needed to circumvent it. 

Conclusions about Taking Action When Attacks or Bugs Are Dvicovered by Parallel Testing 

Parallel Testing as a countermeasure is of questionable value unless jurisdic- 
tions have in place and adhere to effective policies and procedures for inves- 
tigating evidence of computer Software Attack Programs or bugs, and taking 
remedial action, where appropriate. 

Key Observations about Parallel Testing 

Our examination of Parallel Testing shows that the following techniques could 
make a Parallel Testing regime significantly more effective: 

The precise techniques used for Parallel Testing are not fully determined or 
revealed, even to the testers, until right before the election. Details of how 
Parallel Testing k conducted are changed from election to election. 



327 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


' The wireless channels for voting machines to receive commands are closed. 

Voting machines are never connected to one another during voting. If they 
are normally connected, a voter or poUworker m^ht be able to activate or 
deactivate a Trojan Horse on every’ machine in the polling place with one 
triggering command or event. 

it Each voting machine is completely isolated during the election. This would 
prevent remote attacks from activating or deactiv^ng the Trojan Horse. 

s To the extent possible, the voting machines are designed so that Parallel 
Testing would look no different from real voting to the machine. Parallel 
Testing scripts could include details like how quickly or slowly to vote, when 
to make “errors,” and perhaps even when to cast each vote. 

Parallel Testing is videotaped tt) ensure that a contradiction between the 
script and machine records when Parallel Testing is complete is not the result 
of tester error. 

s ATTACKS AGAINST DREs w/VVPT 

We have identified over forty' (40) potential attacks gainst DREs w/WTr.'"*’ As 
it was for DREs without WPT, all of the least difficult attacks against DREs 
w/WPT involve inserting Trojan Horses or corrupt software into the DREs. 
The key difference in attacks against DREs w/WP T is that our attacker may 
also have to attack the paper trail. 

A paper trail by itself would not necessarily' make an attack on DREs more diffi- 
cult. An attacker against DREs w/WPT has two options: 

1 . Ignore the paper trail in the attack. Under this scenario, only the electronic 
record of votes is targeted. The attacker hopes that the electronic record 
becomes the official record, and that no attempt is made to count the paper 
record, or to reconcile the paper and electronic records; or 

2. Attack both the paper and electronic recoiri. Under this scenario, the attack- 
er would program her software record to change both the electronic and 
paper records. This attack would only woik if a certain percentage of voters 
does not review' the paper record and notice that their votes have not been 
recorded correctly. 

In this section, we examine examples of both types of attacks. Further, we evalu- 
ate how difficult each of these attacks would become if a jurisdiction imple- 
mented the “Basic,” “Parallel Testing Plus Basic,” and “Automatic Routine Audit 
Pius Basic” sets of countermeasures. 



328 


62 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


If the vendor writes the 
ballot definition files for 
many counties in a state, 
only one person would be 
needed to trigger and 
parameterize the attack 
in many polling places. 


REPRESENTATIVE "LEAST DIFFICULT" ATTACK: 

TROJAN HORSE TRIGGERED WITH HIDDEN COMMANDS 
IN BALLOT DEFINITION FILE (DRE w/VVPT ATTACK NUMBER 1A) 

We have already discussed how a Trojan Horse might be inserted into a DRE. 
The insertion of a Software Attack Program into a DRE w/WPE would not dif- 
fer in any s^ificant w'ay It could be inserted into the software or firmware at the 
vendor, into tlie operating s)^tem, COTS software, patches and updates, etc. In 
most cases, this would require the involvement of a minimum of one attacker. 

As already discu^ed {see supra p. 55), if the attacker wanted to tailor her attacks to 
specific precincts, she might create an attack program that would not activate 
unless it has been triggered. In this scenario, the attack would be “parameterized” 
told which ballot, precinct, race, etc. to attack) by commands that are fed into 
the machine at a later time. This allows the attacker to trigger an attack with spe- 
cific instructions whenever she decides it could be useful. 

Voting machine security experts sometimes imagine this triggering and parame- 
terization would happen via the ballot definition files. Ballot definition files tell 
the machine how to (1) display the races and candidates, and (2) record the votes 
c.ast. Ballot definition files arc often written by the voting machine vendor 
employees or consultants, but they are also frequently written by local jurisdic- 
tions themselves (at the county level), with software and a.ssistance provided by the 
vendor.''*^ 

A seemingly innocuous entry on the ballot definition file could be used to trigger 
die attack program. For instance, as already discussed, an extra space after the last 
name of a candidate for a particular race could trigger an attack that would sub- 
tract five votes from that candidate’s total on every machine. This triggering is 
referred to as “parameterization” because it allows the attacker to set the param- 
eters of the attack - i.e., the ballot, the precinct (because there is a different ballot 
definition file for each precinct), the race, and the candidate who is affected. 

If the vendor writes the ballot definition files for many counties in a state, only 
one person would be needed to trigger and parameterize the attack in many 
polling places. 

This attack would become more difficult if ev'ery county created its own ballot def- 
inition file. In such CBses^ the attacker would have to find one participant per coun- 
ty to help her with her attack. In addition to forcing the attacker to expand the 
number of participants working with her, creating the ballot definition files local- 
ly could force the attackers to infiltrate the election offices of multiple counties. 

Here is how this representatiw attack could happen in Pennasotad*^ 

S The Software Attack Program is created and inserted at any time prior to an 
election. 



329 


iiAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


63 


If the ballot definition files are created at the vendor, or by a consultant pro- 
\aded by the vendor: Someone at the vendor involved in creating, editing or 
reviewing the ballot definition files would insert the commands that tell the 
Attack Program which race to target. 

If the ballot definition files are created by local jurisdictions: Three separate 
people working in the election offices of the three lai^st counties insert com- 
mands into the ballot definition files. Obviously these co-conspirators would 
have to possess access to the ballot definition files. 

if'S The Software Attack Program could be set to activate on a specific date and 
time {e.g., the first Tuesday after the first Monday in November, after 1 1 a.m.). 
This would help it avoid detection during Logic and Accuracy Testing; there 
w'ould be no need to worry about ITA or Acceptance Testing, as the ballot 
definition file is not subjected to either of these tests. 

it' When switching votes, the ballot definition file could show voters Tom 
Jefferson on the confirmation screen, but electronically record a vote for 
Johnny Adams. 

Alternatively, the Software Attack Program could alter votes in the electron- 
ic memory at the end of a full day of voting. 

Si' To avoid detection after the polls have closed, the Software Attack Program 
could create and provide a new log to the outside world, different than the 
one stored internally. 

In the gubernatorial election for the State of Pennasota, we have calculated that 
if a Trojan Horse were inserted into the ballot definition files for only the three 
largest counties, it would need to switch only four (4) votes per machine (or less 
than 5% of votes per machine) to change the results of our dose statewide 
election: 

Total TOtes Johnny Adams needs to switch for comfortable victory: 51,891 

Number of DREs w/WPT in 3 large.st counties; 9,634''*® 

If four (4) votes on each machine in the three largest counties were switched, 
Johnny Adams would have gained enough votes to defeat Tom Jefferson com- 
fortably. 

Thus, this attack would require between two and four participants; one to insert 
the Software Attack Program, plus either one or three (depending upon whether 
ballot definition flle-s were created at the vendor or county) to provide tri^ering 
and parameterization commands in the baUot definition files. 



330 


64 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


FIGURE 7 


POSSIBLE ATTACK ON DRE WITH WPT 


-’^VEHOOli 

T 

ATTACK PROGRAM EMBEDDED IN FIRMWARE 
Not Subject fo ITA Inspection 

▼ 



ELECTRONIC RECORD 
SHOWS JOHNNY ADAMS 


Governor 

Adams 

SHOWS TO^ 1 JEFFERSON 


Clerk 

Jones 

Propi 

Yes 

/ You’ve Elected \ 

1 Tom Jefferson 1 

ADAMS 

+ 1 

Prop 2 

No 

1 (D-R) ] 



Although it might be more difficult than other types of Trojan Horse attacJcs 
(because it could require one informed participant per county, as opposed to a 
single informed participant via several points of entry), the 'Trojan Horse 
Triggered by Hidden Commands in the Ballot Definition File” attack has certain 
elements that would render it less difficult to execute: 

^ This attack provides the attackers a great deal of flexibility. The attackers can 
wait until just before any election to trigger an attack, and their attack can 
target specific precincts. 

This attack b reusable. The attack program would not do anything unless it 
receives commands from baUot definition files. These commands could come 
before any election and the attack program could lie dormant and undetect* 
ed for many election cycles. 



331 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


65 


ss ATTACKING BOTH PAPER AND ELECTRONIC RECORDS 
(DRE w/VVPT ATTACK NUMBER 6) 

In the above analysis, we assumed tliat the paper trail is not attacked: only the 
electronic record misrecorded the vote. Would not th« mean that the attack 
w'ouid be detected? Not necessarily. 

Even in states with mandatory voter-verified paper trails, official vote totals are 
still extracted from the electronic record of the machine. While an attacker might 
liave to worry that a VVPT recount in a close race would cjq^ose the attack, 
statewide recounts are still relatively rare.'^ 

ilS® PAPER MISRECORDS VOTE 

To prevent an attack from being noticed in a recount, our attacker could create 
a Software Attack Program that also directs the printer to record the wrong vote. 
This “Paper Misrecords Vote” attack is Attack Number 6 in the DRE w/WFT 
Catalog. 

The attack could work the same way as DRE w/WPf Attack Number la 
(Trojan Horse Triggered with Hidden Commands in Ballot Definition File),'’* 
except that it would add a .step: the paper receipt printed after the voter has made 
all of her selections would incorrectly record her vote for governor. In practice, 
this is how it would work; 

When a tai^eted voter chooses Tom Jefferson, the screen would indicate that 
she has voted for Tom Jefferson. 

iSt After she has completed voting in all other races, the DRE would print a 
paper record that lists her choices for every race, except for governor. Under 
the governor’s race, it would state that she has selected Johnny Adams. 

|i; When the DRE screen asks the voter to confirm that the paper has recorded 
her vote correctiy, one of two things would happen: 

» The voter would fail to notice that the paper has misrecorded the vote 
and accept the paper recording; or 

■i The voter would reject the paper record, and opt to vote again. 

si If the voter rejects the paper record, the second time around it would show 
that she voted for Tom Jefferson. This might lead her to believe she had acci- 
dentally pressed the wrong candidate the first time. In any event, it m^ht 
make her less likely to tell anyone that the machine made a mistake. 

This attack would not require any additional participants in the conspiracy. Nor 



332 


66 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


is it entirely dear that enough voters would notice the misrecorded votes to 
prevent the attack from working, 

DO VOTERS REVIEW VVPT? 

In a recent study, Professor Ted Selker and Sharon Cohen of MIT paid 36 sub- 
jects to voit on DRE w/WPT machines. They reported that “[o]ut of 108 
elections that contained errors . . . only 3 [errors were recognized] while using the 
WFI' system.”*^^ 

If only 3 of ewry 108 voters noticed when the paper trail misrecorded a vote for 
Tom Jefferson as a wte for Johnny Adams, DRE w/WPT Attack Number 6 
would probably work. If the Trojan Horse targeted approximately 54,000 voters 
for Tom Jefferson (or roi^hly 1 in every 9 voters for Tom Jefferson in the three 
largest counties), the vast majority would not notice that the paper had mis- 
recorded their votes. 3% - or 1,633 - w^ould notice. 'I’hese voters would cancel 
the paper record and vote again. The second time, the paper would record their 
votes correctly 


FIGURE 8 

WHERE 3 % OF VOTERS CHECK WPT 

51,891 

Total votes Johnny Adams needs to switch for comfortable victory 

3,459,379 

Total votes 

54,437 

Votes attacked 

3.0% 

% of voters who study WPT carefully 

1,633 

number of rejections of misrecorded votes 

52,804 

number of votes successfully switched 


This would still leave enough switched votes for Johnny Adams to win the gover- 
nor’s race comfortably. We do not know how many of the 1,633 voters who 
rejected their votes would complain to poll workers that the machines had ini- 
tially misrecorded their votes. But e\^n if 50% of those voters were to corn- 
plain,'-^^ this would be an exceptionally small number of complaints. With near- 
ly 1,700 precincts and 10,000 DREs w'/WPl' in the three largest counties, 820 
complaints amount to less than one complaint per two precincts and twelve 
machines, 

We arc skeptical that in the State of Pennasota, only 3% of voters would notice 
if their choice for governor was misrecorded on the paper trail. This is because 
(1) the race that we are looking at is for the top office in the state; this is an elec- 
tion with which voters are more likely to be concerned and, consequently, they 
would be more likely to dieck that the WPl' has correctly recorded their votes 



333 


LEAST DiFFtCULT ATTACKS APPLIED AGAINST EACH SYSTEM 


67 


(as opposed to their votes for, say Proposition 42, which is likely to be in the mid- Convincing voters to review 
die or bottom of their paper trail), and (2) in an actual election (as opposed to the their WPT is critical to its 
MIT study), where candidates should be well known to most votere, they are effectiveness as a measure 

probably more likely to notice if the paper trail ^curately reflects their choice. to thwart certain Trojan 

Horse attacks. 

Keeping in mind that tlie attacker’s goal is to switch 5 1,891 votes, let us assume 
that 20% of all voters for Tom Jefferson in our flirce tainted counties would 
check to see that the paper has accurately recorded their votes. The attacker 
could reach her goal by targeting 66,000 voters for Tom Jefferson (out of nearly 
1 . 1 million votes cast in these counties). Over 1 3,200 of these voters would notice 
that the paper misrecorded their choice; they would recast their votes. But over 
52,800 would not notice; these extra 52,800 votes would be sufficient to change 
the outcome of the election. 


FIGURE 9 

WHERE 20% OF VOTERS CHECK WPT 

51,891 

Total votes Johnny Adams needs to switch for comfortable victory 

3,459,379 

Total votes 

66,004 

Votes attacked 

20.0% 

% of voters who study WPT carefully 

13,201 

number of rejections of misrecorded votes 

52,804 

number of votes successfully switched 


It might be argued that if 1 3,200 people noticed that their votes had been mis- 
recorded on the WPT, someone would realize that something was wrong with 
the machines. The truth is, we cannot know what would happen if this number 
of people were to notice that their votes were misrecorded. As already discussed, 
many people would probably presume that the mistake was theirs and not that of 
the machine. 

By contrast, if 80% of voters for Tom Jefferson in the three counties checked 
their paper records thoroughly, it is doubtful the attack could succeed. The 
Trojan Horse would have to target over 264, (XK) voters for Tom Jefferson to get 
tlie 51,891 needed to ensure victory for Johnny Adams. 21 1,212 voters for Tom 
Jefferson would notice that the paper trail initially recorded their votes incorrect- 
ly; this represents over 40% of all of his votes in the three largest counties. 

We can see from this analysis that convincing voters to review their WPT is crit- 
ical to its effectiveness as a measure to thwart certain Trojan Horse attacks. 



334 


63 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


The Trojan Horse could be 
programmed in a way that 
would allow it to detect 
whether it is being tested. 


ss THE EFFECT OF REGIMEN FOR PARALLEL TESTING 
PLUS BASIC SET OF COUNTERMEASURES 

Our analysis of the effect of the Basic Set and Regimen for Parallel Testing Plus 
Basic Set of Countermeasures against the least difficult attack for DREs 
w/VVPT does not dramatically change from the same analysis done for DREs 
without WFE Unless voters check the paper trail and report suspected mis- 
recordings to poll workers when they occur, the paper trail, by itself, provides very 
little additional security. 

The Regimen for Parallel Testing Plus Basic Set of Countermeasures should pro- 
vide more protection than just the Basic Set of Countermeasures. In fact, if the 
Software Attack Pit^ram does not recognize that it is being tested, Parallel 
Testiiig would probably catch this typ)e of attack; presumably at least one tester 
would notice that the paper record was not recording correctly. 

However, as already discussed, si^ra pp, 55-59, we have concerns about certain 
vulnerabilities in Parallel Testing: first, there is the possibility that the person 
installing the ballot defmition file commands triggering the attack program would 
know which precincts arc going to be subject to Parallel Testing - in California, 
precincts are told at least one month in advance whether their machines will be 
tested.'^ If the attacker knows where the Parallel Testing is going to occur, she 
can simply refrain from inserting the triggering commands in ballot definition 
files for those precincts. 

Second, the attacker could, via a wireless communication or Cryptic Knock (1) 
activate the Trojan Horse on machines she sees are not being tested on Election 
Day, or (2) de-activale the Trojan Horse on machines she sees are being tested on 
Election Day (this presumes that Parallel Testing is done at the polling stations). 

Finally, the Trojan Horse could have been progrfimmed in a way that would allow 
it to detect whether it is being tested: if the attacker knew something about the 
testing script in advance or had a good understanding of Parallel Testing proce- 
dures, she might be able to program the Trojan Horse to shut off during all 
Parallel Testing. 

M already discussed, the successful subversion of Parallel Testing, while adding 
significant complexity to a software attack, might require the additional partici- 
pation of betw'cen only one and three extra informed participants. 


^ EFFECT OF REGIMEN FOR AUTOMATIC ROUTINE AUDIT 
PLUS BASIC SET OF COUNTERMEASURES 

The Regimen for Automatic Routine Audit Plus Basic Set of Countermeasures, 
if instituted as detailed supra pp. 16-18, should be an effective countermt^asure 
against our least difficult attack. As detailed in Appendix K, if 2% of all 



335 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


69 


machines were audited, auditors should have a greater than 95% chance of dis- 
covering a mismatch between eJectronic records and paper records, where a 
Trojan Horse misrecorded a voter’s choice in the paper record. This, of course, 
presumes that the attacker failed to find a way to subvert the Regimen for 
Automatic Routine Audit. 

We have identified at least four ways an attacker could subvert the Regimen for 
Automatic Routine Audit: 

1 . The Trojan Horse attacks both paper and electronic records, and most vot- 
ers do not review the paper record before casting their votes, resulting in an 
attack that successfully subverts both the electronic and paper record. 

2. The selection of auditors Ls co-opted. 

3. The paper record is replaced before an audit of the voter-verified paper 
record takes place, for the purpose of matching paper records to corrupted 
electronic records. 

4. The paper record is replaced merely to add votes for one candidate, without 
regard to what has occurred in electronic record. 

As with our analysis of the Regimen for Parallel Testing, to determine the likely 
effectiveness of the Regimen for Automatic Routine Audit, we must ask how 
much more difficult it ^vould make our least difficult attack. T’his means, among 
other things, examining how many people it would take to subvert the Regimen 
for Automatic Routine Audit by each of the four methods listed above. 

TROJAN HORSE ATTACKS PAPER AT TIME OF VOTING. 

VOTERS FAIL TO REVIEW 

Our attacker does not necessarily need to attack the audit process directly to sub- 
vert it. What if, as already described in our discussion of DRE w/\^VPT Attack 
Number 6 {see supra p. 65-67), the attacker merely designs a Trojan Horse that 
changes both the paper and electronic record? 

As noted above, if 80% of voters thoroughly reviewed their paper trails, it is very 
likely that an attack on the paper trail at the time of voting would fail. Assuming, 
however, that this attack is noticed by voters for Tom Jefferson only 20% of the 
time, how much more difficult would the Regimen for Automatic Routine Audit 
make the attack? 

If the audit of the voter-verified paper record merely adds up total votes on paper 
and compares them to total votes in the electronic record, it is doubtful this attack 
would be discovered by election officials. The paper record would match the elec- 
tronic record. The attacker would not need to add any people to her conspiracy 
to succeed. 



336 


70 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Jurisdictions wi!i have to put in 
piace certain rules regarding 
what is to be done when anom- 
alies are found. 


If, on the other hand, the audit of the voter-verified paper record looks for statis- 
tical anomalies by, for instance, looking at the number of times voters cancelled 
the paper record of their vote, this attack is likely to be caught. As already noted 
in Figure 9, if 20% of targeted voters notice that their paper record has not cor- 
rectly recorded their wte for Tom Jefferson, there would bo more than 13,000 
cancellations showing Johnny Adams’ name crossed out, and subsequently 
replaced by Tom Jeffereon: 


51,891 

Total votes Johnny' Adams needs to switch for 
comfortable victory 

3,459,379 

Total votes 

66,004 

Votes attacked 

20.0% 

% of voters who study W^PT carefully 

13,20! 

Number of rejections of misrecorded votes 

52,803 

Number of votes successfully switched 


While 1 3,201 votes is an extremely small percentage of tite 3.4 million votes cast, 
it would represent an unusually large number of cancellations. Larry Lomax, 
Registrar of Voters for Clark County, Nevada (which has used DREs w/VVPT 
since 2004) states that in Clark County it is “the exception” to find a single can- 
cellation on a DRE’s entire roll of paper trail. Even if we were to assume that 
it is normal to have one cancellation for ex'ery two DREs w/WFT, this would 
mean that in Pennasota, there would ordinarily be about H jOOO-U'ijOOO cancel- 
lations in the entire state.'^ Thus, an audit of the voter-verified paper record that 
looked for statistical anomalies like cancellations would show that tliere were 90% 
more cancellations than normal. 

An audit of the voter-verified paper record that noted which votes were changed 
after cancellation would show an even more troubling pattern: a highly dispro- 
portionate number of cancellations where the paper record changed from Johnny 
Adams to Tom Jefferson. 

FinaDy, to the extent this attack is limited to the smallest possible number of 
polling places in three counties (as we originally suggested), certain audits would 
show an even higher statistical anomaly - with an additional 22 paper cancella- 
tions per polling place.’^® 

Of course, finding statistical anomalies, no matter how' troubling, would not, in 
and of itself, thwart an attack. Jurisdictions will have to put in place certain rules 
regarding what is to be done when such anomalies arc found. 

Other than requiring auditors and election officials to look for discrepancies 
between paper and electronic records, states do not currently mandate review of 
paper records for statistical anomalies. States that do not review statistical anom- 
alies (such as, for instance, an unusually high number of cancellations or skipped 
races) during audit will remain vulnerable to a number of attacks. 



337 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


71 


Our analysis shows that unless a jurisdiction implements and adheres to effective 
policies and procedures for investigating such anomalies (and taking remedial 
action, where appropriate), a review of statktica! anomalies will be of question- 
able security value. We provide examples of procedures that would allow juris- 
dictions to respond effectively to detection of statistical anomalies in the voter- 
verified paper record in Appendix M. 

mm CO-OPTING THE AUDITORS 

An obvious, but difficult way to subvert the audit is to dir«:tly co-opt the audi- 
tors. However, given the fact that under the Regimen for Automatic Routine 
Audit audit teams are randomly assigned to randomly selected voting machines, 
it would be exceptionally difficult to defeat the Regimen for Automatic Routine 
Audit by co-opting the auditors. We have estimated that in an audit of 2% of all 
machines, there would be 386 auditors randomly ass^ed to machines in the 
three largest counties in Pennasota.’^ As demonstrated in Appendix L, to have a 
reasonable chance of subverting the audit by infiltrating the auditors, it would be 
necessary to subvert all of them. 

Of course, if a coiTupt person selects the auditors or polling places and does not 
follow the “transparent random selection process” discussed su/>ra p. 1 7, subver- 
sion of the Automatic Routine Audit becomes much easier. For instance, if the 
attacker were in control of the decision as to which polling places to pick for the 
audit, she could deliberately choose those polling places that she knows the 
Trojan Horse did not attack. For this reason, transparent randomness (as dis- 
cussed in detail in Appendix F) is critical to an effective audit. 

REPLACING PAPER BEFORE THE AUTOMATIC ROUTINE AUDIT TAKES PLACE 

Another way to subvert the Regimen for Automatic Routine Audit is to replace 
the paper before an audit can be completed, for the purpose of making sure that 
the audited paper records match the corrupted electronic records. This would be 
nearly impossible if the audit of the voter-verified paper record was conducUid m 
the polling places immediately after the polls dose. 

We understand that for many jurisdictions, this will not be realistic. After spend- 
ing aU day at the polls, it is likely that poliworkers and election officials would not 
want to spend additional time assisting auditors as they conduct an audit of the 
voter-verified paper record. Moreover, many audit volunteers may be reluctant to 
begin conducting an audit (which would, at the very least, take several hours) at 
9 or 10 p.ra. 

If the audit of the voter-verified paper record is not conducted at the polls imme- 
diately upon their closing, there are at least two ways in which an attacker could 
corrupt or replace the paper trail: (1) by intercepting and replacing the paper 
while it is in transit to the warehouse or county offices where the audit would take 
place, or (2) by replacing the paper where it is stored prior to the audit. 



338 


72 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


If there are very strong physical security measures, such as those assumed in die 
Basic Set of Ckiuntermeasures, and paper from eadi polling place is delivered to 
the audit location separately, task (1) would be extremely difficult. Even assuming 
the attackers haw attacked the minimum number of polling places (606), they 
would need to intercept and replace more than 550 separate convoys of paper to 
have even a one in three chance that the audit would not catch the fact that some 
paper record had different totals than the electronic record."'' Given that in most 
states all polls dose at the same time, this would seem to require the participation 
of at least 1 , 1 (X) additional informed participants, making the attack far more dif- 
ficult. 

The alternative would be to attempt to replace the paper records at the county 
warehouses, prior to the audit. As already discussed, our assumption is that our 
attackers would need to target a minimum of three counties to change the out- 
come of the governor’s race in Pennasota. This means, at a minimum, that our 
attackers would need to target three separatti county warehouses and replace the 
paper records stored there. 

Again, if wry strong physical security measums and the chain of custody prac- 
tices assumed in the Basic Set of Countermeasures are followed, this should be 
very difficult. 

We have estimated that 2,883 DREs w/WPT would have to be replaced to 
change the outcome of a statewide race."’"^ In Pennasaota, the voter-verified 
paper records of each of these machines would have been sealed witli tamper evi- 
dent seals and stored in a room with perimeter alarms, secure locks, video sur- 
veillance, and there would be regular visits by security guards and police officers. 
The seal numbers would have been assigned at the polling place and logged by 
county officials upon reaching the county warehouse. 

We have assumed that the audit of the voter-verified paper record would begin 
at 9 a.m. the morning after the polls closed, so our attackers would have to sub- 
vert all of these precautions and replace the paper trails for nearly 2,1 17 DREs 
w/VVFI' in three county warehouses within a matter of hours to ensure that the 
attack was not discovered during the audit. 

Aside from the fact that, in Pennasota, our attackers would (in this very short time 
period) need to (1) break and replace thousands of tamper-evident seals in three 
separate locations,'®* (2) get past the warehouse locks and alarms, (3) co-opt (or 
avoid detection by) the randomly assi^ed police officers and security guaids at 
each location,’® and (4) somehow avoid detection by the video surveillance, the 
attackers would also need to deliver and replace 2, 1 1 7 rolls of WFE (or, in the 
case of PCOS, about 40,000 separate ballots) without independent observers out- 
side or inside the warehouse noticing. We have concluded that it would not be fea- 
sible to carry out this attack without detection over such a short period of time, 
unless the attackers had the cooperation of hundreds of participants including 
many insiders (ie., security guards, policemen and video-monitors). 



339 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


73 


REPLACING SOME PAPER RECORDS MERELY TO ADD VOTES 

Our attackers have a final option: attack the paper recoixls, not for the purpose 
of reconciling them with the electronic records, but merely to add enough paper 
votes to Adams's total to ensure that the paper recorck aJw show him winning. 
This would merely mean stuffing enough ballot boxes with additiontd ballots to 
give Adams a majority of votes in the paper record. 

The audit of the voter-verified paper record would then show a discrepancy 
between the electronic and paper records. A recount would follow. It would show 
that Adams had more votes in the paper record. In 15 states, the WPT laws 
specify that “if there is a recount, the paper ballot” k the official record. 

There are a number of problems associated with a bright line rule stating that the 
paper (or electronic) record will always control election results. There is certainly 
nothing wrong with providing that paper records will have a “presumption” of 
authority. A bright line rule, however, could invite the kind of deception we are 
seeking to prevent. 

As this analysis shows, the main benefit of paper, when accompanied by the 
Regimen for Automatic Routine Audit, is that it requires the attackers to subvert 
both the electronic and paper records. If the attacken know that they only have to 
attack the paper record, their attack becomes significantly easier. 

In our scenario, the attackers would successfully insert the Trojan Horse. 
Obviously, they would not have to do this if they knew the paper record always 
controlled, They could merely attack the paper record and hope the audit of the 
voter-verified paper record would spot a contradiction between the paper and 
electronic records (which it almost certainly would if they switched enough votes 
to change the outcome of the election). 

But let us suppose they did insert the Trojan Horse. If they intercepted 60 con- 
voys of paper (or merely replaced severd ballot boxes in 60 polling places before 
tlicy were transported), they could replace enough paper to create a victory for 
Johnny Adams in the paper record as well."*’ While not easy, this attack is clear- 
ly much easier (involving at least 1,000 fewer participants) than one that would 
require the attackers to prevent the audit of the voter-verified paper recorri from 
revealing contradictory paper and electronic records. 

Of ctjurse, when the audit of the voter-verified paper record was conducted, 
Pennasota would discover that something strange had happened: in at least a few 
audited polling places, the paper and electronic records would not match. 

But this would not tell Pennasota who won. A recount would show Johnny Adara.s 
winning under either set of records. A bright line rule about which record should 
govern in such circumstance.s is problematic. It would encourage the kind of 
deception we have imagined in this attack: if Pennasota had a law slating paper 



340 


74 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


records should govern provided in California),'^ Johnny Adams would win. If 
the law stated that electronic records govern (as provided in Idaho and 
Nevada),'*® Johnny Adams would still win. 

What can be done to prevent this attack? We discuss this below. 

taking action when automatic routine audit finds anomalies 

Many state statutes are silent as to what should happen when paper and elec- 
tronic records cannot be reconciled. As already discussed, Illinois law provides 
that where electronic and paper records in the Automatic Routine Audit do not 
match, the county notifies “the State Board of Elections, the State’s Attorney and 
other appropriate law enforcement agencies, the county leader of each political 
party, and qualified civic organizations.”'^® 

As with I^rallel Testing, an Automatic Routine Audit offers questionable securi- 
ty benefit unless effective procedures to investigate discrepancies (including tak- 
ing remedial action, where necessary) are implemented and adhered to. Again, 
detection of possible fraud without an effective response will not thwart an attack 
on voting systems. The following are examples of procedures that would allow 
jurisdictions to respond effectively to discrepancies between paper and electronic 
records during an Automatic Routine Audit: 

1. Conduct a transparent investigation on all machines where the paper and 
electronic records do not match to determine whether there is any evidence 
that tampering with the paper records has occurred.'^' 

2. To the extent that there is no record that the paper records have been tam- 
pered with, certify the paper records. 

3. If there is evidence that the paper records have been tampered with, give a 
presumption of authority to the electronic records. 

4. After giving a presumption of authority to the electronic records, conduct a 
forensic investigation on all machines where the paper and electronic records 
do not match. The purpose of this investigation would be to determine 
whether there has been any tampering wth the electronic records. 

5. If tampering with the electronic records can be ruled out, certify the elec- 
tronic records.'^ 

6. WTiere there is evidence that both sets of records have been tampered with, 
conduct a full recount to determine whether and to what extent paper and 
electronic recoitk cannot be reconciled. 



341 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


75 


7. At the conclusion of the full recount, determine the total number of 
machines that report different electronic and paper records. 

8. After quantifying the number of machines that have been tampered with, 
determine the margin of victory in each potentially affected race. 

9. Based upon (a) the margin of victoiy, the number of machines affected, 
and (c) the nature and scope of the tampering, determine whether there is a 
substantial likelihood that tampering tdianged the outcome of a particular 
race. 

1 0. In the event that a determination is made that there is a substantial likelihood 
that tampering changed the outcome of a particular race, hold a new elec- 
tion for the office. 

M CONCLUSIONS 

Conclusions from the Representative Least Difficult Attack 

Si Assuming that only 20*^1 of voters review their voter-verified paper trail, a 
minimum of one to three informed participants'^^ will be needed to success- 
fully execute DRE w/WPl' Attack Number 6 (Memory and Paper 
Misrecord Vote Due to Trojan Horse Inserted in Ballot Definition File) and 
change the result of the Pennasota governor’s race. 

i*;' Assuming that 80% of voters review their voter-verified paper trail, DRE 
w/ WPT Attack Number 6 will not succeed. 

Si With the Parallel Testing Regimen Plus Basic Set of Countermeasures, DRE 
w/ WPT Attack Number 6 becomes more difficult. The attacker will need 
at least 2 to 6 informed participants to successfully execute DRE w/ WPT 
Attack Number 6 and change the result of the Penna.sota governor’s race. 

■ • DRE Attack w/ WFE Attack Number 6 would be substantially more diffi- 
cult to successfully execute against the Basic Set of Countermeasures Pius the 
Automatic Routine Audit Regimen than it would be against the Basic Set of 
Countermeasures or the Parallel Testing Regimen Plus Basic Set of 
Countermeasures. The attacker wUl need at least 386 informed participants 
to successfully execute DRE w/XA’PT Attack Number 6 and change the 
result of the Pennasota governor’s race. 



342 


76 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Conclusions about the DR£ w/WPT 

As witli DREs without WPT, local jurisdictions that take control of impor- 
tant tasks, like creating ballot definition files, will make successful statewide 
attacks more difficult. 

« The value of p^er without an Automatic Routine Audit against many 
attacks (such as DRE Attack Number la, where the electronic record is 
changed, but the paper record Is not) is highly questionable. 

If voters are encoura^d to review their thoroughly before casting 

their wtes, many of the least difficult attacks against DREs w/\A^Fr will 
become substantially more difficult. 

Conclusions about the Regimen for Automatic Routine Audit 

Plus Basic Set of Countermeasures 

Statistical examination of anomalies, such as higher than expected cancella- 
tions, can help to detect fraud. Currently, none of the states that conduct 
routine audits of voter-verified paper records examine those paper records 
for statistical anomalies. 

Automatic Routine Audits conducted soon after the close of polls are less vul- 
nerable to attack because there is less time to tamper with the paper records. 

^ Good chain of custody practices and physical security of paper records prior 
to the Automatic Routine Audit is crucial to creating an effective auditing 
regimen. Specifically, the following practices should make the auditing 
process more secure: 

R At close of the polls, vote tallies for each machine are totaled and com- 
pared with number of persons that have signed the poll books. 

I A copy of totals for each machine is posted at each polling place on elec- 
tion night. 

All audit information Event Logs, WPT records, paper ballots, 
machine printouts of totals) that is not electronically transmitted as part 
of the unofficial upload to the central election office, is delivered in offi- 
cial, sealed and hand-delivered information packets or boxes. All seals 
are tamper-resistant. 

I Transportation of information packets is completed by at least two elec- 
tion officials representing opposing parties who have been instructed to 
remain in joint custody of the information packets or boxes from the 
moment they leave the precinct to the moment they arrive at the county 
election center. 



343 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


77 


Each polling place sends its information packets or lK)xes to the county 
election center separately, rather than having one truck or person pick up 
this data from multiple polling locations. 

Once the sealed information packets or boxes have reached the county 
election center, they are logged. Numbers on the seals are checked to 
ensure that they have not been replaced. Any broken or replaced seals 
are logged. Intact seals are left intact by officials. 


An automatic routine audit 
offers questionable security 
benefit unless effective proce- 
dures to investigate discrepan- 
cies (including taking remedial 
action, where necessary) are 
consistently implemented. 


'I After the packets and/or boxes have been logged, they are provided with 
physical security precautions at least as great as those listed for voting 
machines, above. Specifically: the room in which they are stored would 
have perimeter alarms, secure locks, video surveillance and regular visits 
by security guards and access to the room would be controlled by sign-in, 
possibly with card keys or similar automatic lo^ng of entry and exit for 
regular staff. 


The auditing process will be much less vulnerable to attack if machines and 
auditors are selected and assigned in a publicly transparent and random 
manner. 


Conclusions about Taking Action 

When Anomalies Are Found in the Automatic Routine Audit 

An automatic routine audit offers questionable security benefit unless effective 
procedures to investigate discrepancies (including taking remedial action, where 
necessary) are consistently implemented. Detection of possible fraud without an 
effective response will not thwart an attack on voting systems. 


« ATTACKS AGAINST PCOS 

We have identified over foity (40) potential attacks against PCOS. Many of these 
attacks are similar to the attacks against both DRE systems. 

Nothing ui our research or analysis has shown that a Trojan Horse or other 
Software Attack Program would be more difficult against PCOS systems than 
they are against DREs. All of the least difficult stacks against PCOS involve the 
insertion of Trojan Horses or corrupt software into PCOS scanners.''^ In this 
section, we examine how this attack would work, and how much more “expen- 
sive” such attacks would be made by^ the “Basic,” “Regimen for l^ralJel Testing 
Plus Ba.sic” and “Regimen for Automatic Routine Audit Plus Basic” sets of coun- 
termeasures. 


We also address certain security concerns that are unique to the PCOS system. 



344 


78 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


^ REPRESENTATIVE "LEAST DIFFICULT" ATTACK: 

SOFTWARE ATTACK INSERTED ON MEMORY CARDS 
(PCOS ATTACK NUMBER 41) 

We ha\'e already discussed how a Trojan Horse might be inserted into both types 
of DRE systems. The insertion of a Trojan Horse into a PCOS scanner would 
not differ in any significant way. It could be inserted into the main PCOS source 
code tree, operating system, COTS software, and software patches and updates, 
etc. In most cases, tMs would reguire the involvement of a minimum of one person. 

Attack Number 41 in the PCOS Catalog is an attack that has been demonstrat- 
ed to work in at least two election simulations:’'’ use of memory cards to change 
the electronic results reported by the PCOS scanner. While this attack has only 
been publicly attempted against one model of PCOS scanner, several computer 
security experts who have reviewed other PCOS systems believe that they may be 
vulnerable to similar attacks.'^® 

DESCRIPTION OF ATTACK 

This attack uses replaceable memory cards to install the software attack. Memory 
cards are used by both DRRs and PCOS scanners. Memory cards contain data 
that is used by the machines, including the ballot definition files (which allow the 
machine to read the ballots) and the vote totals. At least one major vendor has its 
report generation program on its memory cards -- this is the program that, among 
other things, tcil.s the machine what vote totals to print at the close of the polls. 
This is the record poilworkcrs use to record the filial vote tally of each machine. 

Attackers could use the memory cards to generate false vote total reports from the 
machine. Here Is how the attack would work; 

The attacker acquires access to the memory cards before they are sent to 
individual polling places. She could gain access: 

5 At the county office where they are programmed, if she works there, or 
if security is lax. 

Via modem, if the central tabulator'” that programs the cards is con- 
nected to a telephone line. 

I Via modem if the PCOS that reads the cards is connected to a telephone 
line. 

^ The attacker programs the memory cards to generate a vote total that switch- 
es several votes from the Democratic-Republicans to the Federalists (or from 
Jefferson to Adams). 



345 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 


79 


> She further instructs the memory' card to generate the false total only if 400 
ballots have run through the scanner in a single 24-hour period (unlike 
DREs, PCOS scanners can scan hundreds or thousands of wtes in a single 
day). This should help it avoid detection during Ingic and Accuracy Testing. 

The attacker does not have to worry about ITA inspection or testing or 
Acceptance testing because the memory cards are not subject to ITA inspec- 
tion or testing and arc created after Acceptance Testing is complete. 

'i'K At the close of the polls, when election officials and/or poll workers ask the 
PCOS scanner to generate its vote total report, the false report would be gen- 
erated. 

As with Trojan Horse Attacks and other Software Attack Programs used against 
DREs, the attackers could target a relatively small number of machines and stiU 
change the outcome of our statewide race. 

We have assumed that the State of Pennasota has purchased one PCOS machine 
for each precinct.’^® This would mean that in ite three largest counties, there 
would be a total of 1,669 FCOS machines, with approximately 693 voters per 
machine. In the entire state, there would be 4,820 machines, with ^proximately 
718 voters per machines.’ 

Again, presuming that our attacker wants to swntch 5 1 ,89 1 votes from Tom 
Jefferson to Johnny Adams, she could target fewer than half of the machines in 
the three largest counties, switching about 7% of the votes for governor on each 
machine.’““ On the other hand, if the attacker chose to target all PCOS scanners 
in the state, it would be necessary to switch only about 8 votes per machine (or 
slightly more than 1% of all votes cast on each machine).'”' 

As with tfie Software Attacks against DREs previously discussed, if the Software 
Attack Program functioned as intended (and presuming there was no recount, 
Parallel 'Icsting or audit), there would be no way for election officials to know that 
the electronic records were tampered with. 

This attack would require a minimum of one to three people: one if the central tabulators 
in several counties are connected to a telephone line (in which case, an attaeJe 
could hack into the central tabulators and insert the attack program into the 
memory cards via the central tabulator), and three if the state made sure that 
there was no way to contact the central tabulatoi^ or PCOS machines via modem 
or wireless communication (in which case, three individuals would have to gain 
access to the county offices in the three largest counties and program or repro- 
gram the memory cards before tiny were sent to the polling places). 



346 


80 THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

EFFECT OF BASIC SET OF COUNTERMEASURES 

Our analysis of the three sets of countermeasures is substantially similar to our 
analysis in the DJRJE w/WPT action. 

This attack is not iikdy to be caught by the Basic Set of Countermeasures. 
Memory cards axe not subject to TTA or Acceptance Testing. If the attacker is 
clever, she should be able to ensure that Ixigic and Accuracy Testing does not 
catch this attack either. The memory cards are inserted in the normal course of 
election practice; physical security around the machines and ballots would not 
prevent successful execution of the attack. 

EFFECT OF REGIMEN FOR PARALLEL TESTING 
PLUS BASIC SET OF COUNTERMEASURES 

We are unaware of any Jurisdiction that performs Parallel Testing on PCOS sys- 
tems. Nevertheless, we believe that Parallel Testing would probably catch this 
attack. Unlike Trojan Horses and other Softw'^are Attack Programs previously dis- 
cussed, the attack would probably not allow the PCOS to know whether it wa.s 
being ftiraliel Tested.**^ 

However, our concerns regarding the ability of other types of Software Attack 
Programs to circumvent Parallel Testing {i.e., the insertion of a Trojan Horse into 
firmware, vendor software, COTS software, software patches and updates) apply 
to PCOS for the same reasons already detailed in our discussion of attacks 
against DREs. Specifically, we believe that under the right circumstances and 
with enough knowledge and time, it would be possible to devise a Software Attack 
Program against PCOS systems that would allow the scanners to trigger or deac- 
tivate based upon the program’s ability to detect whether the scanner is being 
tested. 

Thus, if the attacker knew that Parallel Testing was performed on PCOS 
machines in Pennasota, she could insert a Trojan Horse that would recognize if 
the machine was being Parallel Tested. This would require involving between one and 
three additional people in the attack specifically the attack would need to involve peo- 
ple who could gain enough knowledge about the Parallel Testing regime {ie.f the 
Parallel Testing script writer, a consultant who worked on creating the Parallel 
Testing procedures) to provide information to subvert it. 



347 


LEAST DIFFICULT ATTACKS APPLIED AGAINST EACH SYSTEM 81 

EFFECT OF REGIMEN FOR AUTOMATIC ROUTINE AUDIT 
PLUS BASIC SET OF COUNTERMEASURES 

Ail of our findings regarding die Regimen for Automatic Routine Audit in the 
DRE w/A'VPT section apply to the Automatic Routine Audit as a countermea- 
sure against the least difficult attack against PCOS. If the Regimen for Automatic 
Routine Audit is fully implemented (including the use of transparent randomness 
in selecting auditors and polling places for audit, as well as instituting proper 
chain of custody and paper security practices), ihe Re^men for Automatic Routine 
Audit Plus Basic Set of Countermeasures should make the least difficult (Mack against PCOS 
more difficult by several hundred participants. 

However, at least tw'o of the attacks in our attack catalog point us to unique issues 
associated with PCOS and the Regimen for Automatic Routine Audit counter- 
measures. 

PCOS Attack Number 42: 

Trojan Hoi^e Disables Overvote Protections 

One of the benefits of PCOS machines owr Central Count Optical Scanners 
(which are very often used in tallying absentee ballots) is that it has an 
“over/undervote protection. “ The attack discussed below is a variant of the 
I’rojan Horse attacks already discussed*®® with one important exception: instead 
of changing voles or the vote total tally, it merely disables the over/undervote 
protection. 

The over/undervote protection on PCOS scanners works as follows: when a voter 
fills out his ballot, but accidentally skips a race (or accidentally fills in two candi- 
dates for the same race), the scanner would refuse to record the vote and send it 
back to the voter for examination. The voter than has the opportunity to review 
the ballot and correct it before resubmitting 

Central Count Optical Scanners have been shown to lose as many as three times 
as many votes as PCOS.*®"* The lack of over/undervotc protection on Central 
Count Optical Scanners may be the reason for this difference. In counties with 
over 30% African American voters, the lost or “residual” vote rate has been 
shown to be as high as 4.1 %.‘®® 

Our attacker in Pennasota would probably not be able to swing the gubernatori- 
al race from Jefferson to Adams merely by inserting a Software Attack Program 
that would turn off the over/undervotc protection on PCOS scanners. Even if 
we assume that the result of turning off the protection were a loss of 4% of the 
votes on every scanner and that all of those votes would haw gone to Tom 
Jefferson, this would only result in the loss of about 20,000 votes. This would still 
leave Jefferson (who won by over 80,000) with a comfortable (though slimmer) 
margin of victory. 



348 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Nevertheless, this attack could cause the loss of thousands of votes, dispropor- 
tionately affecting poor and minority voters. Neither the Basic Set nor Automatic 
Routine Audit Plus Set of Countermeasures (without some sort of statisti- 
cal analysis of over/ undervotes) would counter this attack. 

There are at least two possible ways It) catcJi this attack; 

Through Parallel Testing (assuming that the Software Attack Program has 
not also figured out a way to shut off when it is being tested); and 

By counting owr/undervotes in the audit of the voter-verified paper record 
to determine whether there is a disproportionate number of such lost votes 
fihis again points to tiie imporUmce of statistical analysis and investigation in coryunction 
with the audit of the voter-ver^d paper record ~ by looking for an unusual number of over- 
and undervotes, the state could spot this kind of attack). 

PCOS Attack Number 49: Attack on Scanner 
Configuration Causes Misrecording of Votes 

Advocates for PCOS systems point out that the paper record is created by the 
voter, rather than a machine; the purported benefit of voter-created paper 
records is that they cannot be corrupted by the machine (as in DRE w/VVPT 
AttaeJt Number 6, where the machine creates an incorrect paper record). 

The flip side of this benefit is that, in filling out their ballots, people can make 
mistakes: they might circle the oval instead of filling it in; they might fill in only 
half the oval; they might fill the oval in with a pencil that the machine cannot rec- 
ognize. If our attackers configured our machines so that they tended to read par- 
tially filled ovals for Johnny Adams, but not Tom Jefferson, Johnny Adams could 
benefit with many additional votes. Given our analysis of PCOS Attack, Number 
8, we are skeptical that this attack would be sufficient to turn our imagined elec- 
tion from Jefferson to Adams (though without more investigation, we are unable 
to come to a certain conclusion). Nevertheless, we are confident that if PCOS 
Attack Number 49 were accomplished via an Attack Program that reached every 
PCOS scanner, it probably could affect thousands of votes. 

This attack highlights a problem that is unique to the PCOS system. In conduct- 
ing an audit of the voter-verified paper record or recount, what should be count- 
ed as a vote? If the test is merely what the machine reads as a vote, Attack 
Number 49 would succeed without further investigation. 

Again, some statistical analysis done in conjunction with the Automatic Routine 
Audit (perhaps allowing the Secretary of State’s office to review ballot images to 
look for discrepancies in how votes are counted by the scanners) should allow a 
jurisdiction to catch this attack. 



349 


LEAST DlFFiCULT ATTACKS APPLIED AGAINST EACH SYSTEM 


83 


ss CONCLUSIONS 

Conclusions from Representative Least Difficult Attacks 

With the Basic Set of Countermeasures in place, a minimum of 1 to 3 informed 
participants would be needed to successfully execute PGOS Attack Number 41 
(Software Attack on Inserted Memory Cards) and change the result of the 
Pennasota governor’s race. 

With the Regimen for Parallel Testing Plus Basic Set of Countermeasures in 
place, PCOS Attack Number 41 becomes more difficult. The attacker will need 
at least 3 to 7 informed participants to succcsrfully execute this attack and change 
the result of the Pennasota governor’s race. 

PCOS Attack Number 41 would be substantially more difficult to successfully 
execute against the Regimen for Automatic Routine Audit Plus Basic Set of 
Countermeasures than it would be against the Basic Set of Countermca.sures or 
the Re^men for Parallel Testing Plus Basic Set of Countermeasures. The attack- 
er will need at least 386 informed participants to succeiafully execute PCOS 
Attack Number 4 1 and change the result of the Pennasota governor’s race. 

Conclusions about PGOS 

■'iis As with DREs, local jurisdictions that take more control of running their own 
elections (by performing their own programming, creating their own ballot 
definition files, etc)^ are going to make successful attacks again.st statewide 
elections more difficult. 

s The value of paper ballots without the Automatic Routine Audits is highly 
questionable. 

P If voters are well informed as to how to properly fill out PCOS ballots, many 
attacks against PCOS systems will become more difficult. 

Conclusions about the Regimen for 
Automatic Routine Audit Countermeasure 

Statistical examination of anomalies in ballot images and vx)te totals, such as 
higher than expected over- and undervotes, can help detect fraud. Currently, 
none of the states that conduct Automatic Routine Audits examine paper 
records for statistical anomalies. 

'v' Automatic Routine Audits conducted soon after the close of polls are less vul- 
nerable to attack, because there is less time to tamper with the paper records. 

5'fS Solid chain of custody practices and physical security of paper records prior 



350 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


to the Automatic Routine Audit are crucial to creating an effective auditing 
regimen. The practices discussed infra pp. 87-88 should assist jurisdictions in 
creating an effective auditing regimen. 

*1 The auditir^ process will be much less vulnerable to attack if machines and 
auditors are selected and ass^cd in a publicly transparent and random 
manner. 

Concliuiioiis about Taking Action 

When Anomalies Are Found in the Automatic Routine Audit 

As B the case for DREs w/W^PT, an Automatic Routine .Audit of PCOS ballots 
offers questionable security benefit unless effective procedures to investigate dis- 
crepancies {including taking remedial action, where necessary) are implemented 
and adhered to. Detection of possible fraud without an effective response will not 
thwart an attack on voting systems. For further discussion of this topic, see supra 
pp. 74-75. 



351 


85 


PREVENTION OF 
WIRELESS COMMUNICATION: 

A POWERFUL COUNTERMEASURE 
FOR ALL THREE SYSTEMS 


Against aM three systems, 
attackers could use wireless 
components to subvert all 
testing. 


As already discussed in some detail {see supra pp. 46, 48, 55-56), our analysis shows 
that machines with wireless components are particularly vulnerable to Trojan 
Horse and other attacks. We conclude that this danger applies to all three systems 
we have examined. Only two states, New York and Minnesota, ban wireless com- 
ponents on all machines.”'^ California’s ban on wireless components appears to 
apply to DRE^ only.^”' 

Unfortunately, banning use of wireless components on voting systems without 
banning the wireless components themselves (as is done in several states) still 
poses serious security risks. First, a Softw'are Attack Program could be designed 
to re-activate any disabling of the wireless component. In such circumstances, the 
voting machine might indicate that the wireless component was off, when it actu- 
ally could receive signals. Second, pollworkers or anyone else with access to the 
voting machine could turn on tlie wireless component when it was supposed to 
be turned off. Under either scenario, our attacker could use a wireless-enabled 
PDA or other device to send remote signals to the wireless component and install 
her attack. 

Vendors continue to manufacture and sell machines with wireless components.’”® 
Among the many types of attacks made possible by wireless components are 
attacks that exploit an unplanned vulnerability in the software or hardware to get 
a Trojan Horse into the machine. For this type of attack, an attacker would not 
need to insert a Trojan Horse in advance of Election Day. Instead, if she was 
aware of a vulnerability in the voting system’s software or firmware, she could 
simply show up at the polling station and beam her 'Frojan Horse into the 
machine using a wireless-enabled PDA, 

Thus, virtually any member of the public with some knowledge of software and 
a PDA could perform this attack. This is particularly troubling when one consid- 
ers that most voting machines run on COTS software and/or operating systems; 
the vulnerabilities of such software and systems are frequently well known.'®* 

Against all three systems, attackers could use wireless components to subvert all 
testing. Specifically^ an attack program could be written to remain dormant until 
it received specific commands via a wireless communication. This would allow 
attackers to wait until a machine was being used to record votes on Election Day 
before turning tlie software attack on. 

Attackers could also use wireless communications to gain fine-grained control 
over an attack program already in.serted into a particular set of machines {ie., 



352 


36 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


switch three votes in the second race on the third machine), or obtain informa- 
tion as to how individuals had voted by communicating with a machine while it 
was being used. 

Finally, wireless networking presents additional security vulnerabilities for juris- 
dictions using DREs w/WPT and PCOS. A major logistical problem for an 
attacker changing both electronic and paper records is how to get the new paper 
records printed in time to substitute them for the old record in transit. With wire- 
less networking the DRE or PCOS can transmit specific information out to the 
attacker about what should appear on those printed records. In short, permitting 
wireless components on WPT or PCOS machines makes the attacker’s job 
much simpler in practice. 



353 


87 


SECURITY RECOMMENDATIONS 

There is a substantial likelihood that the election procedures and countermea- 
sures currently in place in the vast majority of states would not detect a cleverly 
designed Software Attack Program. I'he regimens for Parallel Testing and 
Automatic Routine Audits proposed in the Security Report are important tools 
for defending voting systems from many types of attack, including Software 
Attack Programs. For the reasons discussed, supra pp. 6-7, we also believe that 
these measures would reduce the likelihood that votes would be lost as a result of 
human error. 


There is a substantia! likelihood 
that the election procedures 
and countermeasures currently 
in place in the vast majority 
of states would not detect a 
cleverly designed Software 
Attack Program. 


Most jurisdictions have not implemented these security measures. Of the 26 
states that require a voter- verified paper record, only 12 states require automaric 
audits of those records after every election, and only two of these states — 
Caliibrnia and Washington - conduct Parallel lesting'^ Moreover, even those 
states that have implemented these countermeasures have not developed the best 
practices and protocols that are necessary to ensure their effectiveness in pre- 
venting or revealing attacks or failures in the voting systems. 


Recommendation #1: 

Conduct Automatic Routine Audit of Paper Records. 

Advocates for voter-verified paper records have been extremely succes.sful in state 
legislatures across the country. Currently, 26 states require their voting system.s to 
produce a vote.r-verified record, but 1 4 of these states do not require Automatic 
Routine Audits. The Task Force has concluded that an independent voter-ver- 
ified paper trail without an Automatic Routine Audit is of questionable security 
value.'^^ 

By contrast, a voter-verified paper record accompanied by a solid Automatic 
Routine Audit can go a long way toward making the least difficult attacks much 
more difficult. Specifically, the measures recommended below should force an 
attacker to involve hundreds of informed participants in her attack. 

’ ■ A small percentage of all voting machines and their voter-verified paper 
records .should b(i audited. 

s? Machines to be audited should be selected in a random and transparent way. 

'i' The assignment of auditors to voting machines should occur immediately 
before the audits. The audits should lake place by 9 a.m., the day after polls 
close. 

The audit should include a tally of spoiled ballots (in the case of WFT can- 
cellations), overvotes, and undervotes. 



354 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


For paperless DR£ voting 
machines, Parallel Testing is 
probably the best way to detect 
most software-based attacks. 


Recommendation #2: Conduct Parallel Testing. 

It is not possible to conduct an audit of paper records of DREs without X'^PT 
because no voter-verified paper record exists on such machines. This means that 
jurisdictions that use DREs without WPT do not have access to an important 
and powerful countermeasure. 

for paperless DRE voting machines. Parallel Testing is probably the best way to 
detect most software-based attacks as well as subtle software bugs that may not be 
discovered during inspection and other testing. For DREs w/\^PT and ballot- 
marking devices, Parallel Testing provides the opportunity to discover a specific 
kind of attack (for instance, printing the wrong choice on the voter-verified paper 
record) that may not be detected by simply reviewing the paper record after the 
election is owr. However, even under tlie best of circumstances, Parallel Testing 
is an imperfect security measure. The testing creates an “arms race” between the 
testers and the attacker, but the race is one in which the testers can never be cer- 
tain that they have prevailed. 

We have concluded that the following steps will lead to more effective Parallel 
Testing: 

m The precise techniques used for Parallel Testing {e.g., exactly how and when 
the machine is activated, how activation codes/smart cards/ etc. are produced 
to allow votings etc.) should not be fully determined or revealed until right 
before the election. Details of how Parallel Testing is done should change 
from election to election. 

S At least two of each type of DRE (meaning both vendor and model) should 
be selected for Parallel Testing. 

At least two DREs from each of the three largest counties should be parallel 
tested. 

tjDcalities should be notified as late as possible that machines from their 
precincts will be selected for Parallel Testing. 

Wircle^ channels for voting machines should be closed off to ensure they 
cannot receive commands. 

S; Voting machines should never be connected to one another during voting. 


Ss A statistical exEunination of anomalies, such as higher-than-expecte;d vote 
cancellations or over- and undervotes, should be conducted. 

SI Solid practices with respect to chain of custody and physical security of 
paper records prior to the Automatic Routine Audit should be followed. 



355 


SECURITY RECOMMENDATIONS 


" Voting machines should be completely isolated durii^ the election, and print 
out or otherwise display their totals before being connected to any central serv- 
er to send in its tallies. 

Parallel Testing scripts should include details sudi as how quickly or slowly to 
vote, when to make “errors,” and perhaps even when to cast each vote. 

‘I Parallel Testing should be videotaped to ensure that a conbadiction between 
paper and electronic records when Parallel Testing is complete is not the 
result of tester error. 

While a few local jurisdictions have taken it upon themselves to conduct limited 
Parallel Testing, we are aware of only three states, California, Maryland and 
Washington, that have regularly performed Parallel Testing on a statewide basis. 
It is worth noting that two of these states, California and Washington, employ 
Automatic Routine Audits and Parallel Testing as statewide countermeasures 
against potential attack. 

Recommendation # 3: 

Ban Wireless Components on AU Voting Machines. 

Our analysis shows that machines with wireless components are particularly vul- 
nerable to attack. We conclude that this vulnerability applies to all three voting 
systems. Only two states. New York and Minnesota, ban wireless components on 
aD machines.'®* California also bans wireless components, but only for DRE 
machines. Wireless components should not be permitted on any voting machine. 

Recommendation # 4: 

Mandate Transparent and Random Selection Procedures. 

The development of transparently random selection procedures for all auditing 
procedures is key to audit effectiveness. This includes the selection of machines 
to be Parallei Tested or audited, as well as the assignment of auditors themselves. 
T he use of a transparent and random selection process allows the public to know 
that the auditing method was fair and substantially likely to catch fraud or mis- 
takes in the vote totals. In our interviews with election officials we found that, all 
too often, the process for picking machines and auditors was neither transparent 
nor random. 

In a transparent random selection process: 

The whole process is publicly observable or videotaped. 

j'K T he random selection is to be publicly verifiable, Le., anyone observing is able 
to verify that the sample was chosen randomly (or at least that the number 
selected is not under the control of any small number of people). 


89 

Machines with wireless 
components are particularly 
vulnerable to attack. 



356 


90 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


^ The process is simple practical wdthin the context of current election 
practice so as to avoid imposing unnecessary burden on election officials. 

Recommendatioii # 5: 

Ensure Local Control of Election Administration. 

Where a single entity, such as a vendor or statt; or national consultant, runs elec- 
tions or performs key tasks (such as producing ballot definition files) for multiple 
jurisdictions, attacks against statewide elections become easier. Unnecessary cen- 
tralized control provides many opportunities to implement attacks at multiple 
locations. 

Recommendation # 6: Implement Effective Procedures 
for Addressing Evidence of Fraud or Error. 

Both Automatic Routine Audits and Parallel Testing are of questionable security 
value without effective {M-ocedures for action where evidence of machine mal- 
function and/or fraud is uncovered. Detection of fraud without an appropriate 
response will not prevent attacks from succeeding. In the Brennan Center’s exten- 
sivY; review of state election laws and practices and in its interviews with election 
officials for the Threat Analysis, we did not find any jurisdiction with publicly 
detailed, adequate, and practical procedures for dealing with evidence of fraud 
or error discovered during an audit, recount or Parallel Testing. 

The following are examples of procedures that would allow jurisdictions to 
respond effectively to detection of bugs or Software Attack Programs in Parallel 
Testing: 

3? Impound and conduct a transparent forensic examination of all machines 
showing unexplained discrepancies during Parallel Testing. 

Where evidence of a software bug or attack program i.s subsequently found 
(or no credible explanation for the discrepancy is discovered), conduct a 
forensic examination of all DREs in the state used during the election,'*’^ 

Identify the machines that show e\’idence of tampering or a software flaw 
that could have affected the electronic tally of votes. 

Review' the reported margin of victory in each potentially affected race. 

sS Based upon the (1) margin of victory^ (2) number of machines afl'ected, and 
(3) nature and scope of the tampering or flaw^ determine whether there is a 
substantial likelihood that the tampering or flaw changed the outcome of a 
particular race. 



357 


SECURITY RECOMMENDATIONS 


ii? Where there is a substantial likelihood that tampering changed the outcome 
of a particular race, hold a new election for the office. 

The following is an illustrative set of procedures that would allow jurisdictions to 
respond effectively to discrepancies between paper and electronic records during 
an Automatic Routine Audit: 

Conduct a transparent investigation of all machines where the paper and 
electronic records do not match to determine whether there is any evidence 
that tampering with the paper records has occurred. 

K To the extent that there is no record that the paper records have been tam- 
pered with, certify the paper records. 

fs If there is evidence that the paper records have been tampered with, give a 
presumption of authority to the electronic records. 

s After giving a presumption of authority to the electronic records, conduct a 
forensic investigation on all machines where the paper and electronic records 
do not match to determine whether there has been any tampering with the 
electronic records. 

ffii If tampering with the electronic records can be ruled out, certify the elec- 
tronic records. 

Where there is evidence that both sets of records have been tampered with, 
conduct a full recount to determine whether and to what extent paper and 
electronic records cannot be reconciled. 

At the conclusion of the full recount, determine the total number of 
machines that report different electronic and paper records. 

After quantifying the number of machines that have been tampered with, 
determine the margin of victory in each potentially affected race. 

i;? Based upon (1) the margin of victory, (2) the number of machines affected, 
and (3) the nature and scope of the tampering, determine w'hether there is a 
substantial likelihood that tampering changed the outcome of a particular 
race. 

'S Tn the event that a determination is made that there is a substantial likelihood 
that tampering changed the outcome of a particular race, hold a new elec- 
tion for the office. 



358 


Election officials and voting sys- 
tems experts should be looking 
at ways to ensure that voters 
understand their role in creating 
a more secure voting system. 


DIRECTIONS FOR THE FUTURE 

We are hopeful that thb report will spur further orderly and empiric.al analyses of 
threats to voting systems for the purpose of assessing new voting systems as well 
as proposed security procedures and countermeasures. Some of our suggestions 
for further study are detailed below. 


WITNESS AND CRYPTOGRAPHIC SYSTEMS 

This report was necessarily limited to analyzing systems currendy in use. Further 
security analyses must be performed on witness and cryptographic vodng sys- 
tems, which provide some hope of offering election officials additional choices for 
independendy verifiable voting systems in the future. 

For a detailed discussion of these systems and their potential, see the website of 
the Electronic Privacy Informadon Center at http://wv\w.cpic.org/privacy/vot- 
ing/cac_foia/vlad.dor.. Also see the website of the Society for Industrial and 
Applied Mathematics at http://www.siam.org/sianincws/04-04/voting.pdf 

^ INFORMING VOTERS OF THEIR ROLE 
IN MAKING SYSTEMS MORE SECURE 

This report makes clear that informed voters are an important defense against 
potential attacks. The larger the number of voters who check their WPT before 
casting their vote, the less likely that an Automatic Routine Audit would be 
unable to catch a Trojan Horse attack. vSimilarly, the more voters who fill out their 
PCOS ballots correcUy, the less likely that a Irojan Horse attack on the 
over/ undervote protection or scanner calibration will affect the number of 
recorded votes. 

Election officials and voting systems ejqxMts should be looking at ways to ensure 
that voters understand their role in creating a more secure voting system. 

m ADDITIONAL STATISTICAL TECHNICAL TECHNIQUES 
TO DETECT FRAUD 

This study has pointed to at least tw^o areas where statistical techniques in the; 
Automatic Routine Audit could be used to catch fraud: (1) where there is an 
unusually high number of cancellations on the VVFF, and (2) where there is an 
unusually high number of CNtx / undervotes on PCOS ballots. VW encourage stat- 
bticians and political scientists to find additional statistical techniques to detect 
fraud. 



359 


DIRECTIONS FOR T HE FU TURE 93 

it LOOKING FOR BETTER PARALLEL 
TESTING TECHNIQUES 

We conclude that Parallel Testing can be a uf«ful countermeasure that should 
make voting systems more secure, particularly in jurisdictions where voting sys- 
tems do not have voter-verified paper records. We have made a number of obser- 
vations concerning solid Parallel Testing practices. We believe that additional 
studies should be done to attempt to make Parallel T^tii^ practices even 
stronger. Parallel Testing creates an “arms race” of sorts between the testers and 
the attacker - where the testers can never be certain that they have prevailed. 

w LOOKING AT OTHER ATTACK GOALS 

This report took on the simplifying assumption that the attacker’s objective was 
to change the outcome of a statewide race. But attackers could have other goals: 
to attack voter privacy, disrupt an election, or discredit the electoral proce.ss. Ail 
of tliese are serious threats that we should guani against. Methodical threat 
analyses of these attack objectives would also be useful and employing the same 
approach used here might well provide critical insight. 

ii LOOKING AT OTHER RACES 

The method and analysis of this study can be applied to any race, real or hypo- 
thetical, local or statewide.'®^ We encourage security analysts, public officials and 
interested citizens to use the information and methods in this document to 
address their specific security concerns. 



360 


94 


GLOSSARY* 

Automatic Routine Audit Automatic Routine Audits are used in twelve states to 
test the accuracy of electronic voting machines. I’hey generaUy require that 
between 1 and 10% of all precinct voting machines be audited.’® The Task 
Force findings regarding Automatic Routine Audit regimens can be found in this 
report at pag^ 76-77, and 87-88. 

Cryptic or Secret Knock, Where a Trojan Horse or other Software Attack 
Program has l^n inserted into a machine, a Cryptic Knock is an action taken 
by a user of the machine that will trigger (or silence) the attack behavior. ITie 
Cryptic Knock could come in many form.s, depending upon the attack program; 
voting for a write-in candidate, tapping a specific spot on the machine’s screen, a 
communication via wireless network, etc. 

Configuration Files. Voting systems are generally designed to be used across 
many jurisdictions with very different needs, regulations and laws. In addition to 
the ballot definition information in a voting terminal on Election Day, there arc 
a wide range of settings that must be configured correctly in order to be have the 
terminal perform correctly. For instance, machines must be configured to tell the 
system how to behave when a voter leaves with a ballot not completed and the 
election officials indicate to the machine that the voter has lefl without casting his 
ballot. In some jurisdictions, the machine should cast the ballot while in others, it 
should void the ballot. These settings can be thought of as residing in configura- 
tion files, although they may actually be stored in the Windows Registry, in a 
database or elsewhere. 

Driv<tr. In general, a driver is a program designed to interface a particular piece 
of hardware to an operating system or other software. Computer systems are 
designed with drivers so that many programs such as MS Word, QuickBooks, and 
Firefox web browser, for example, could interface with lots of devices such as 
printers, monitors, plotters, and barcode readers without having to have each one 
of these programs depend on the details of eacJi device. With regard to voting 
technology, drivers are likely to be present to interface with audio devicevS for 
accessibility, the screen, the touch-screen hardware, a printer for printing totals 
and other information, and for interfacing with the battery backup unit. 

Event and Audit Logs. In general, computer systems are programmed to record 
all activities that occur, including when they are started up, when they are shut 
down, etc. A voting terminal could be pn)grammed to remember when it was 
started, shutdown, when it printed its zero tape, and the like. Sucdi records are 
Event Logs or Audit Logs. These records could be helpful during a forensic analy- 
sis of voting systems after a suspected attack. 

Independent Testing Authority. Starting with the 1990 FEC/NASED standards, 
independent testing authorities (“ITAs”) have tested voting systems, certifying 



361 


GLOSSARY 


95 


that these systems meet the letter of the “voluntary” standards set by the federal 
government and required, by law, in most states. Several states, such as Florida, 
that impose additional standards contract with the same labs to test to tliese 
stronger standards.''^° 

Logic and Accuracy Testing {or “L&A’ Testing). This is the testing of the tabula- 
tor setups of a new election definition to ensure that the content correctly reflects 
the election being held {i.e., contests, candidates, number to be elected, ballot for- 
mats, etc.) and that all voting positions can be voted for the maximum number of 
eligible candidates and that results are accurately tabulated and reported. Logic 
and Accuracy Testing should not be confused with Parallel Testing: Ixigic and 
Accuracy Testing is generally done prior to the polls opening; it is not intended 
to mimic the behavior of actual voters and generally lasts only a few minutes. 
Most machines have a “Logic and Accuracy” setting so that the machine “knows” 
it is being tested. 

Parallel Testing. Parallel Testing, also known as election-day testing, involves 
selecting voting machines at random and testing them as realistically as possible 
during the period that votes are being cast. The Task Force findings regarding 
Pai'allel Testing regimens can be found in this report supra pp. 52-59 and 88-89. 

Softw'are Attack Program. Any destructive program, including Trojan Horses, 
viruses or other code, that is used to overtake voting systems for the purpose of 
altering election results. 

Trojan Horse. A destructive program that masquerades as a benign program. 
Unlike viruses, Trojan Horses do not replicate themselves. 



362 


ENDNOTES 

^ Ballot Maricii^ Devices have been purchased by several jurisdictions in recent months. 
However, they have not yet been purdiased as the primary machine in any jurisdiction’s voting sys- 
tem. Instead, they have generally been purcliased as the “accessible” unit, to meet the Help 
America Vote Act’s acc«sibility requirements. Lawrence Norderi, Voting System Usabilip in 7'he 
M.vchinery of Democracy (Brennan Center for Justice ed., forthcoming July 2006). 

^ These s>^ems are currendy used to a limited extent in both Vermont and New Hampshire. 
Lawrence Norden et aL, liUtig ^slem Accessihilip, in The MACHINERY OF DEMOCRACY (Brennan 
Center for Justice ed., forthcomingjuly 2006). 

^ These systems are currendy in development arid not commercially available. They are dis- 
cussed in further cktad p. 92. 

In 2004, 27 States allowed early voting Approximately 19.3% of voters in these states voted 
early. Approximately 11.6% cd" vtrtcs counted in 2004 were absentee ballots. Oregon is die only 
state with an all-mail voting system. See Election Assistance Commission, EAC Election Dm Survp, 
http://\vwsv.eac.gov/election_survey_2004/statedata/StateLevclSummary.htm (turnout source 
lab at bottom) {Last visited &-Iay 25, 2006). 

^ These reports will be released under separate cov'er in 2006. See supra notes I and 2 and infia 
note 184. 

® NIST has informed the Brennan Center that the development of policy recommendations 
for voting systems is not within the agency’s mission or insumtional authority. Accordingly, the pol- 
icy recommendations in the report should not be attributed to Task Force members who work for 
NIST. 

^ Tracy Campbell, DF.l.r\T.R THE VoTF,, at xvi (2005) (pointing to, among other things, a iiis- 
tory of vote buying, ballot stuffing, and transpiosing of results). 

8/rf. 

^Joseph E Harris, ELFxrnoN Admjntstr,\tion in the United States (1934). 

See t.g. Deuv’ER the Vote, supra note 7 at 275-284; Edmund F, Kallina, Jr, COURTHOUE 
OVER White House - Chic.aco and the Prf.sident]al Er.£CTiON of I960 (1988) (documenting 
fraud found in Chicago’s 1960 elections); Andrew Gumbcl, Steal THIS VOTE, at 173-200 (2005) 
(dettuJing tampering and questionable results in the era of lever and punch-card voting). 

DELa-T-R THE Vote, iu/iM note 7 at 83, 99, 137. 

See, e.g., Chip ClUdt Hands Vielop to Wntg Candidate, AssocnA'IliD PRESS, Nov. 1 1, 2002 (not- 
ing that a “defective computer chip in [Scurry) County’s optical scanner misread ballots . . . and 
incorrectly tallied a landslide victory for Republicans.”) 

See, eg. Computer luises Mm Than 4,000 Early Votes in Carteret, CHARLOTTE OBSERVER, Nov. 
4, 2004 (noting that as a result of a software bug, machines could only store 3,00.5 votes; after this 
numlM;r of votes was recorded foe machines accepted, but did not store, the ballots of 4,438 vot- 
ers in the 2<K)4 presidential election). 

See, eg, Anna M. Tinsley and Anthony Spangler, Vite Spike Blamed on Program Snaju, Fort 
Worth ST/\R-Telegr.am, Mar. 9, 2006, (notir^ that a programming error in the tally server soft- 
ware caused an extra 1 00,000 votes to be initially recorded in Tarrant County, Texa.s). 

See, eg., Susan Kuezka, Returns Are Ire Software Goofid — Ijike Counp Tally Misled 15 Hopefals, 
Chicago Tribune, Apr. 4, 2003, dX 1 (noting that programming error caused machines to record 
names of wrong candidates). 

See, e.g, Vokrs Turned Awqg eykr IMattrig Hours (WPLG Local 10 News television broadcast, 



363 


ENDNOTES 


97 


Nov. 1, 2004) (noting that breakdowns of DREs in Broward County forced peoffc to wait to vote 
for hours before they could vote), at^iiable at http://www.lo<aJ10.com/news/3878344/ 
dctail.html. 

See, e.g., Kevin R Connolly, Computer Gtikhes Sbw lHusia Results: Cotm^ Officials Ask die 
Machines Supplier to Imestigate. IVliy Memory Cards Failed Tuesday, Oriando Sentinh., Nov. 4, 2004 at 
A17. 

^ ^ .Nearly 40 Votes May Have Been Lost in Palm Beach Couni)^ USA ToDW, Nov. 2, 2004, at B7 (not- 
ing that failure to properly plug in machine appeared to cause the loss of as many as 40 votes). 

Douglas W. Jones, Threats to Voting ^slms at 2 {Oct. 7, 2005), aoailable at 
hctp://vote.nist.gov/tlireat5/papers/threats_lo_voiing_systems.ptf ^ica^nted at the NIST Threat 
Analysis Workshop). 

20 The catalogs are available at wvvw.brennancenter.org {hereinafter .detect Qelalogs\. 

21 We determined that looking at each attack in the comexi of an effort to change a statewide 
election was critical to determining its difficulty. There are many ways to swfch or spoil a sii^le 
vote. It would be unpossibie for election officials to guard against all such threats. The challenge is 
to prevent diose attacks that (a) are feasible, and (b) if carried out succes^ily would affect a large 
number of votes. By looking at attacks that could affect statewide elections, we have attempted to 
limit ourselves to these types of attacks. 

22 See, Attack Catalogs, supra note 20. 

23 Xhe specifics might differ slightly. A vote buying scheme against DREs or DREs w’/WPT 
could involve die use of a small camera, whereby the voter would photograph the confirmation 
screen, or WPT to prove that she voted the way she promised. This would not work b the case of 
a PCOS vote, as there is no display confirming the voter’s intention. To merely take a picture of the 
PCOS ballot would prove notliing - the voter could photograph a ballot that showed she voted for 
Johnny Adams, but erase that vote and submit her ballot marked for Ibni Jefferson. See Attack 
Number 26 in the DRE \v/WPT Catalog and Attack Number 26 in the DRE Catalog Attack 
Catalogs, supra note 20. 

2"^ Of course, statewide elections are occasionally decided by mere dozens or hundreds of 
votes. But these are the exceptions among die exceptionally close races. As duscus-sed in more detail, 
iri/ra pp. 20-23, we liave assumed that in attempting to affect a close statewide race, an attacker must 
presume that one candidate’s margin of victory will be somcwlicrc finm 2-3% of all votes. 

2-'’ See PCOS Attack Catalog, Attack Catalogs, supra note 20. 

2^ In assigning values, we have made certain assumptions about the jurisdiction’s security 
measures. As discussed in greater detail, irffia pp. 14-15, tJiese assumptions are based upon survey 
responses from and interviews with current and former election officials about their security prac- 
tice.s. Among the assumptions we have made: (1) at the end of an Election Day, but prior to the 
transportation of ballots, poll workers check the total number of votes cast against the poll books 
in each polling place, and (2) ballots from eadi polling place are delivered to central county offices 
separately {i.e., a single person or vehicle does not go from polling place to polling place collecting 
ballots before delivering them to the central location). 

2^ This number was reached after considering the total number and types of ballots that 
would have to be stolen or created. 

2^ Given the difficulty of stuffing the ballot box and modifying poll bocdcs, we haw assumed 
that at least one person would be needed for each task in every polling place where it is accom- 
plished. Of course, there is a real possibility that if this attack were carried out, someone would get 
caught- At the very least, stuffing the ballot box and modilying the ballot boxes w the polling place 
would be difficult to do without attracting notice. If anything, this feet supports our methodology. 
It is not impossible to imagine that, with the proper motivation and skills, two people could accom- 



364 


98 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


plish dicse goals in a single polling place somewhere in the country. It is far more difficult to imag- 
ine dozens or hundreds of people accomfffishing this task succcs-sfully in dozens or hundreds of 
polling places in ihe same state. For this reason, and under our methodology, the attack is labeled 
‘\-ery difficiJt” to accomplish successfully. 

^ Among those interviewed in July and .i\ug. of 2005 regarding the difficulty of various 
attacks on election systems were Debbie Smith, Elections Coordinator, Calcvera-s County, CA; 
Patrick F. Gill, Auffitor, Skmx City lA; Wendy Noren, County Clerk of Boone County, MO; 
Beverly J. Harry' Coimty Clerk/R^istrar of Voters, Inyo County, GA ; Larry Lomax, Registrar of 
Voters, Clark County, NV; Cliff Borofsky, Election Administrator for Bexar County, TX; F. Robert 
Williams, Chief Information Officer for Monmouth County, NJ; and Brian Newby Election 
Commissioner of Johnson County KS. 

Wikipedia. US SemOe Election, 2000, http://en.wikipedia.org/wiki/U.S._Senate_clcction,_ 
2000 (as of May 25, 2006, 15:30 GMT). 

International Information Programs, 2004 US. Elections Results Finally Complete, httj,);/ /usin- 
fo.statc.gov/dhr/Archive/2005/Jan/03-462014.htmi (Dec. 30, 2004). 

Zogby Internatfonal, Election 2004 Z'^gby Battleground State Rolls, at http://www.zogby. 
com/news/ ReadNews.dbm?ID=904 (Oa. 24, 2004). 

While our results are derived from a iwiew of a composite election in a composite juris- 
diction, we believe they are applicable to similarly close elections in almost any state. As a check on 
our findings, we have run an analysis of Attack Catalogs against tlie Presidential race in 
Washington State in 2004, and come up with substantially similar results to those discussed in this 
paper. 

Steganography b “the art and science of writing hidden messages in sud; a way tliat no 
one apart from the intended recipient knows of the existence of the message.” Wikipedia, 
Steganography, http;//en.wikipcdia.org/wiki/Steganography (as of May 25, 2006, 15:33 GMT). 

Set a^a note 121. 

Responses to the Brennan Center Security .Survey are on file at the Brennan Center. For a 
sample survey, see Appendix D. 

Starting with the 1990 FEC/NASED standards, Independent Testing Authorities (“ITAs”) 
have tested voting systems, certifying that these systems meet the letter of the “voluntary” .standards 
.set by the federal government and required, by law, in most states. Sevx^ral states, such as Florida, 
that impose additional standards contract with the same labs to test to these stronger standards. In 
the future, the EAC will be in charge of certification that will be done by VSTLs (Voting System 
Test Labs). For further explanation of thk cfiange, see Election Assistance Commision, Vobrntary 
Voting %istem Guidelines (200.5), available at http://www.eac.gov/VVSG%20Volume_Il.pdr (I.ast visit- 
ed May 31, 2006). For further dbcussion of the testing most machines undergo, Appendix E. 

Our analysb shows that ihb is a very important countermeasure. Specifically, thb counter- 
measure allows poUworicers and the public to ensure that corrupt or flawed software on a county's 
central tally-server does not incorrectly add up machine voce totals. 

A thorough discus.<don of the types of testing voting machutes might be subject to is pro- 
vided in Appendix E. 

We have assumed that eeich machine delivx:red by a vendor to the jurisdiction is tested by 
that jurisdiction. Even if (he vendor has some kind of quality control guarantees, these are of no 
value unles-s the customer d«ects failures at the time of delivery. At minimum, such tests would 
include power-on testing, basic user interface tests (do all the buttons work, does the touch-screen 
sense touches at all extremes of its surface, do the paper-feed mechanbms work, docs the uninter- 
nipdWe power simply woA). This b known as “Acceptance Testing.” For a more detailed discus- 
sion of Acceptance Teeing, see Appendix E. 



365 


^ We have assumed that before each election every voting machine would be sulgect to pub- 
lic testing. This is frequently described as Logic and Accuracy testing or simply L&A testing, a term 
tliat is more appropriate in the realm of punch-card and mark-sense ballot tabulating machines 
than in the realm of DRE systems, but tlic term is used widely and in many staKs it is enshrined in 
state law For a more detailed discussion of Logic and Accuracy testing, ja? Appendix E. 

Llcctionline.org, Recounts: From Pumh Cards to Biper Thais, at 3 (Oct. 2005) [hereinafter 
Recounts], at http;//www.electionIine.org/Poriais/l/Publications/ERIPBriefl2.SB370updated. 
pdf (Last visited May 25, 2006). 

California selects auditors at the county level by political party. Telephone Interview by Eric 
L. Lazarus with Debbie Smith, Elections Coordinator, Caleveras County CA (July 14, 2005). We 
assume each audit team will have at least nvo members, with one member selected by each politi- 
cal party. 

I his might be difficult in the selection of machines for I^raliel Testily If election officials 
insist on one-month’s notice as to which precincts will be t«ted, publication of the selected 
machines could be problematic. Specifically, this would allow an attadeer to know which precincts 
to avoid attacking. 

Many more recommendations for a sound Parallel Testing regfine can be found in the sub- 
section entitled “Eflects of Regimen for Parallel Testing” pp. 52-59. 

In California election officials generally felt they needed at least a month’s notice - this is 
because when Parallel Testing is done, certain precincts will lose the use of one or two machines. 
I'elephone interview by Eric L. Lazarus with Jocelyn WTiitney, Developer and Project Manager for 
Parallel Testing in (California (Dec. 23, 2005). 

In a threat paper entitled ’^Trojan Horse in DRE -OS" posted by Chris Lowe for the NIST 
Threat Analysis Workshop in Oct. 2005, Mr. Lowe imagined an attack in an election involving Tom 
Jefferson and John Adams. The analysis in Uiis paper sliould not be confused with Mr. Lowe’s work, 
although wc do reference Mr. Lowe’s threat paper, mfra note 120. 

Because this report does not address security issues related to absentee voting, and for pur- 
pases of simplicity, we arc assuming that all votes were cast at a polling place on one of the three 
voting systems we are examining, 

The numbers in this appendix represent the avert^e number of polling places and 
precincts in the three largest counties in each of the Zogb>' batdeground states in 2004 presidential 
election {see si^ra note 32). Milwaukee County was not included in this analysis because they divide 
up polling places and precincts in a way that made comparison impossible. 

If an attacker were to switch 4% of the votes from Candidate A to Candidate B, it would 
have the same effect on the margin of victory as adding 8% of the total votes to Candidate A, or 
subtracting 8% of the total votes from candidate B. This can be demonstrated in a simple exam- 
ple. Suppose Candidate A and Candidate B each received 50 votes. If we switched 4 votes from 
Candidate B to Candidate A, Candidate A would win the election by 8 voles: 54 for Candidate A, 
46 for Candidate B. If on the other hand, we simply stuffed the ballot box and added 8 wte-s for 
Carrdidatc A, but did not otherwise tamper with the election results. Candidate A would i^iti win 
by 8 votes; 58 votes for Candidate A, and 50 votes for Candidate B. 

This assumes that the county does not post PDF images of the ballot on the web prior to 
the election; this was done by, among other counties, St. I.ucie County, Florida prior to the General 
Election of 2000. 

See also Appendix G. 

This analysis does not even consider how much more difficult the attack would become if 
one of our two other sets of countermeasures was in place. For instance, under the Basic Set of 



366 


100 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Countermeasures, “ballot boxes are examined (to ensure they are empty) and locked by poll work- 
ers immediately before the polls are opened.” This simple countermeasure would make PCOS 
Attack 1 2 significantly more difficult to exeottc successfully; the attackers could not simply scan bal- 
lots just before Election Day and hope that the^ ballots would become part of the tally. They would 
have to co-qjt evwy person charged with reviewing the ballot boxes prior to opening in ail 606 tar- 
geted |K>lling places. 

Cook County Election Department, Results jrom J'fovmber 2004 Elections, at http:// 
www.v«,>terinfonetcom/results/detail/summary.php;’election=20041 i02G (Last visited May 31, 
2006). 

Of course, it is possiUe that an attacker could switch more than this percentage of votes in 
a single machine, polling place or count)' without detection. To the extent that she could do so, her 
ability to successfully change the outcome of a statewide election would be made easier. For a com- 
plete list of assumptions made about Pennasota, see Appendix G. 

As discu^d in greater detail, infra p. 72, for some attack scenarios, the ability to carry out 
the attack in the fewest possible counties is key to (a) involving the fewest number of informed par- 
ticipants and increasir^ the diances that the attack will not be detected. In other sccnario.s, a 
statewide attack is more liiarfy to accomplish these goals. 

Specifically, our attacker would need to add or subtract less than six percent (6%) of votes 
in these three counties; this means she would need to “switcli” {Le., mov'c a vote ft om one candidate 
to another) less than three percent (3%) of votes in these counties. 

Based upon composite results from the three largest counties in eacli of the ten Zogby 
Battleground States reviewed, See Z°ikP> 32. 

35 The fact that we list these categories of attacks does not mean that we necessarily believe 
an attacker could successfully u.sc these attacks to affect the outcome of our statewide election. We 
have concluded that some attacks would certainly fail if attempted. In such cases, the Catalogs label 
such attacks “N/A” under the column “Number of Informed Participants.” 

^ By “very difficult” wc mean that it would require hundreds or thousands of informed par- 
ticipants; or, regardless of how many participants are involved, it would not affect enough voles to 
change the outcome of a close statewide race. 

Dr. Michael Shamos, F^per Trail Boycott (Oct. 5, 2005) (a NIST Threat Artalysis workshop 
presentation summarizing the logistics of this attack). A more detailed description of the attack can 
be found at http://vote.nist.gov/thrcats/papers/p 2 q>ertraibo)xot.pdf. 

This number is a high estimate. See Professor Benjamin Highton, In Long IJnes, luting Machine 
Aoailahili^ and Turnout, 39 PoLcnovi. SdlENCR .\ND POLITICS 65, 67 (2006) (estimating that long lines 
in Franklin County, Ohio resulted in a 7,7% reduction in turnout in certain very large precincts). 

^3 'There are 2,969 polling places in Pennasota. See Appendix G. 

3“^ This section of the report borrows and relies heavily on ‘‘Slraiegtesfor Software Attacks on Voting 
Machines, ”a white paper presented by John Kelsey of NIST at the NIST Threat Analysis workshop 
in Oct. 2005. This section docs not cover the technical details and challenges of creating a suc- 
cessfid software attack program in the same detail as Mr. Kelsey’s paper. That paper can be found 
at http://votc.nist.gov/thrcats/papers/stategies_for_software_attacks.pdf. 

^3 See Computer Crime Research Center, Report America Under Attack, at http;//www.crimc 
research.org/nev«/2003/04/ MessOSOl.html (Last vdsited May 31, 2006) (noting a record number 
of computer hackers attacking military and govenmient systems); see also Scott A. Boorman and 
Paul R. I..evitt, Deadly Bigy, Chicmio Tribune -(M.\GaZINE) May 3, 1987 at C19 (detailing, amotig 
other attacks, the planting of a software bug in die computer sv^stem of the Los Angeles 
Department of Water and Power in 1985, which made some of the utilities’ important internal files 
inacccssiWe for a week); Edward Iwata, Con^ames Access Network Securi^, USA Today, Oct. 2, 2001 



367 


ENDNOTES 


101 


at 3B (citing “security audits'’ by security firm Sanctum in which they successfidly broke “into? the 
networks of 300 organizations, including federal a^ndes, Gnancial firms and airlines”). 

Sf«John Dcutch Off lJne:At War ivith the Infi-Termisb, l>fE OBSE8\’ER,July 7, 19^ at 7 (the 
former Director of die Central Intelligence Agency cites attacks on computers and software to 
divert funds from banks, embezzle funds and commit fraud against credit card companies); L.A. 
Lorek, Internet Worm Disrupts Business, San ANTONIO Express-Nevvs (Texas), Jan. 28, 2003 at IE (dis- 
cussing “Slammer,” a computer worm which attacked a hole in Microsoft software and prevented 
banks and airlines from performing basic operations). 

There is an extenshe history of successful attacks against (xmtent protection systems, such 
as those created to protect digital media. Ste general^ Wikipedia, D^iial Management, 

htcp://en.wikipcdia,org/ wiki/Digita!_rights_management (detailing many sudi tutacks) (as of May 
26, 2006 1.1:39 GMT). For instance, in Oct. 1999 a teenj^ed Scandinavian high school dropout, 
Jon I.ech Johansen, broke a much heralded DVD encryption scheme. See Wikipedia, Coatenl- 
Scrambling System, http://en.wildpcdia.org/wiki/Content_Scrambling_S 5 ^m (as of May 26, 2006 
15:39 GMT). 

Special purpose cryptograpJiic devices are created to protect key material, even when an 
attacker has control over the device doing the encryption. There have been a number of successful 
attacks against such devices. See Ross Anderson, Mike Bond, Jolyon Clulow & Seigei Skorobogotav, 
Cryptographic Processors - A Survey, UNIVERSITY OF Ca-MBRIDGE COMPUTER UaboR-ATORY TECHNICAL 

Report No. 641 (Aug. 2005), at http;//wvvvv.cl.cam.ac.uk/TcchRcportsAJCAM-CI,-TR-641.pdf, 
for an excellent history of some of these high-level attacks. 

See eg., Jaikumar Vijayan, Securi^/ Product Flaws are Magnets fir Attackers, COMPUTER Weekiy, 
at http://wwvi’.computcrweckly.com/ Articles/ Aiticle.aspx?lij\rticlcID=201449&PrintcrFricndIy= 
true (Mar. 29, 2004) (noting die growing number of attacks against ‘‘the very products users invest 
in to safeguard their systems”). 

For an example of this type of attack, see the discussion of Ron Harris’s attack on video 
poker machines, infra note 148. 

^ ^ Domam Name System (DNS) is a distributed database that stores mappings of Internet 
Protocol addresses and host names to facilitate user-friendly web browsing. See Ian Bctteridge, 
Security Company Warns About DjVS Attacks, eWeek.com at http://www.cwcck.com/article 
2/O„1782543,00,a8p, (Apr. 5, 2005) (lor discussion of DNS attacks). 

Dennis Callaghan, Federal Sweep ffets Spammers, Cyber-Criminals, eWeek.com, at http;// 
www.eweek.eom/prinL_ariicie2/0, 1217, a=134i59,00.asp, (Aug. 26, 1994) (noting that the U.S. 
Department of Justice announced "that it ha.s taken action against more than 150 individuals” 
accused of phishing and other related spam attacks); 2004: Year of the Cyber-Crime Pandemic, 
cWeek.com, at http;//www.e\N’cek.com/artide2/0,1895, 174.5848, OO.asp (Jan. 1, 2005) (noting that 
between July and Nov. 2004, there was an average monthly grovrth rate of unique phishing attacks 
of 34%). 

See Lisa Vaas, ffo One-Siop Shopping to Stop Database Pilferages, eWeck.com, at 
htip://www,eweek.com/artick2/0, 1895, 1904527, 00.a.<ip (Dec, 29, 2005) (describing attack on 
database of role-playing game company where attackers “exploited a software flaw and threatened 
to post stolen user data including user names, e-mail addreises and encrypted passwords” unless 
they were paid). 

Bob Keefe, New Worm is Thief Not Pankster, The AtiaNTA JoUTtNAL CONSTITUTION, Aug. 
20, 2005 at U) (detailing how criminals exploited a vulnerability in Microsoft software to “quietly 
‘harvest’ ... sensitive data on a small number of computers — employee Social Security numbers, 
credit card numbers, passwords” - and then turn the machines into networks of “bols,” to be “sold 
on vi.rtiial black markets”). 

Gavin Clarke, Windows beats IJnux-Unix on Vulnerabilities - CERT, at http://www.thcregistcr. 



368 


102 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


co.uk/2006 /0l/05/wmdows_Knux_anix_sccurity_vulnerabilitics (Jan. 5, 2006). 

Brian Krete, Windows &am^ Flaw is W;\shington Post, Dec. .30, 2005 Dl. 

IXS. Government Accountability OfRce, Elections: Federal Efforts to Improve Securify and 
Reliability of Electmtic litirig ^sterns Are Under Way, But Key Activities Heed to Be Completed, at 29 (Sept. 

2005) (Report No. GAO-05-956) (T^reinafler GAO Report] available at http: //reform. 
house.gOv/UploadedIules/GAO-05-956.pdf. 

Brendan I. &)erner. Welcome to die Machine, H-^RPER’S M.\G.azine Apr. 1, 2004, at 83. 

Id.; See also Wik4>edia entry Ibr Ron Harris, http://en.wiiapedia.org/wiki/Ron_HarrLs_ 
(programmer) (as of May 2(K)6 ISdK) GMT). 

In computing, “a patch is a small piece of software designed to update or fix problems with 
a computer program. This includes fixing bugs, replacing graphics and improving the usabiKty or 
performance.” See Wikipedia, Software Patch, http://cn.wikipcdia.org/wiki/Softv>'arc_patch (as of 
May 26, 2006 15:42 GMT). Also r«J. G. Levine et. al., Detecting and Categorizing Kernel-Level Rootkits 
to Aid Future Detecdon, IEEE Securtty AND PRl\'ACY,Jan-Feb 2006, at 24-32. 

On a ballot (whether electroutc or paper), candidate names are listed numerically with, say, 
“1” next to Tom Jeflerson’s name and “2” next to Johnny Adams. In the ballot definition file, pro- 
grammers define what those numbers mean so when a voter touches a box next to 1 on the screen, 
the vote gpts tallied for Tom Jefferson. 

'Hiis is not intended to be an exhaustiw list. 

OAO Report, jitpro note 77 at 33. 

“A rooiMt is a set of software tools frequently used by a third party (usually an intruder) 
after gaining access to a computer system. 'I'hesc tools arc intended to conceal running processes, 
files or system data, which help an intruder maintain access to a system without the user’s knowl- 
edge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and ver- 
sions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer. The word 
“rootkit” came to public awareness in the 2005 Sony CD Copyright protection controversy, in 
which SONY BMG music CDs placed a rootkit on Microsoft Windows PCs.” W'ikipedia, Root Kit, 
htip://cn.wikipcdia.org/wiki/Root_kit (as of May 30, 2006 15:50 GM'I'). 

See Tadayoshi Kohno, Adam Stubbclfield, Avici Rubin, and Dan S. Wailach, Anttlysis of an 
Electronic Voting System at 13-14 (Feb. 2004), at http://avirubin.com/vote, pdf (paper for the IEEE 
Symposium on Security and Privacy); Dr. Michael A. Wertheimer, Rj\BA Technologies LLC, 
Trusted Agent Report: Diebold AccuVote-TS System at 8 available at http://www.raba.com/ 
prcss/TA_Rcport_AccuVotc.pdf (Jan. 2004) {report prepared for Department of Legislative 
Services, Maryland General Assembly Annapolis, Md.), [liercmafter Report”]. 

GAO Report, supra note 77 at 25. 

The five points of vulnerability listed here are not meant to be a complete list; radicr they 
represent some of the most obvious points of attack. 

See, Ilarri Uursti and Eric I-azarus, Replaceable Media on Optical Scan, NIST at 
http://vote.nist.gOv/threais/papers/ReplaccablcMcdiaOnOpticalScan.pdf (Last visited May 31, 

2006) . 

Kim Zetter, Diebold Hack Hints at Wider Flaws, Wired News. Dec. 21, 2005 available at 
http://www.wired.com/0ews/politics/evote/O,69893-O.html. 

“A Red Team exercise is des%ned to simulate the environment of an actual event, using the 
same equipment and procedures of the system to be ev'aluated.” RABA Report, supra note 85 at 1 6. 



369 


ENDNOTES 


103 


Responses to the Brennan Center Security Survey are on f3e at the Brennan Center. For 
sample survey see Appendix D. 

See e.g. Dean Takahashi, Cau£onary Tales Seacfi^ ES^ert, Proc^SOR, Mar. 25, ^03 avail- 
able at http://w%vw,proccssor.com/eclitorial/artide.asp?an:k:le=artides%2Fp2712%2rt)3pl2%2 
F03pl‘2.asp&guid=&searcht>pe=&WordList— &yumpTo=True (detaflir^ the reporting of security 
expert Kevin T Mitnick, wlio showed how three liackers siuxesdiiUy obt^ed an old video-poker 
macliine, took it apart and deciphered its software; this allovred them to steal more than $ I million 
from Las Vegas casinos). 

As a reminder, the ballot definition files are created after a machine and tts software have 
beers tested and inspected. The files are sent to local jurisdictions and allow the machine to (a) dis- 
play the races and candidates in a given election, and ft>) record die votes cast. 

95 “Personal digital assistants (PDAs or palmtops) arc handheld devices that were originally 
designed as personal organizers, but became much moie versatile over die years. A basic PDA usu- 
ally includes a date book, address book, cask list, memo pad, clodc, and calculator software. Many 
PDAs can now access the Internet via Wi-Fi, ceUular or Wide-Area Networks (WANs) or Bluetooth 
technology. One major advantage of using PD/\s is their ability to synchronize data with a PC or 
home computer.” Wikipedia, Personal Digital Assistant, at http://en.wikipedia.org/wiki/Personal_ 
digital_assistant (as of May 26, 2006 15:45 GMT). 

^ A Cryptic Knock is an action taken by a user the machine that will trigger (or silence) 
the atuck behavior. The Cryptic Knock could come in many forms, depending upon the attack 
program; voting for a write-in candidate, tapping a specific spot on the machine’s screen, a com- 
munication via wireless network, etc. 

This is the testing of the tabulator setups of a new election definition to ensure that the con- 
tent correefiy reflects the election being held {ie., contests, candidates, number to be elected, ballot 
formats, etc.) and that all voting positions can be voted for the ma.ximum number of edible candi- 
dates and that results arc accurately tabulated and reported. 

For a more detailed discussion of specific attacks, see hilp://vofe.nist.gov/(hreats or request 
a copy of the Attack Catalogs at www.brennanccntcr.org. 

RAM Report, supra note 85, at 20-2 1 . 

A more complete description of the testing and inspection process for machines (touched 
upon infia pp. 42-44), can be found in Appendix E. 

lOI By “inspection” we mean review of code, a.s oj^sed to “testing,” which is an attempt to 
simulate voting to ensure that the machine k functionbg properly (and votes arc being recorded 
accurately). We discu.ss testing in die next suljsection. 

David M. Siegel, an independent techndogy consultant for thb report, contributed sig- 
nificantly to this subsection, For a more detailed discussion of the difficulty of catching attack pro- 
grams through inspection, see Ken Thompson, Reflections on Trusting Trust, 27 COMMUNICATION OF 
THE ACM 761 (Aug 1984), ayjzVcWi? http://ww\v.acm.oTg/classics/sep95. 

I'his b a software program that b generally sold as commercial off-the-shelf software. 

For further discussion of the limits of ITA testing and State Qualification Tests, see GAO 
Report, supra note 77 at 35; Douglas Jones’s “Testing Votmg Machines”, at http;// 
www;cs.uiowa.edu/~jones/voting/testing.shiml#ita (Last visited May 30, 2006); Dan S. Wallach, 
Democrary at Risk The 2004 Election in Ohio, Section VII: Electronk Votii^: Accwuc^ AccombAUity and Fraud, 
Democryhc National Commitiee Voting Rights iNsrn’UTE, at 4 (|une 2005), available at 
hctp://www.\'otetrustusa.org/pdfs/ DNCFJectronic%20VodngpdC 

105 “Pirniwarc b software that is embedded in a hardware device” {ie., the vxiting machine). 
Wikipedia, Firmivare, at http;//en.wikipedia.org/w/mdex.php?ttde=Firmware&o!did=48665273 



370 


104 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


(as of May 26, 2006 13:25 GMT). 

^ ^ Election Assistance Commission, Systems Standards Volume 11, National Testing Guidelines 

at §I.3.1.3, owtilaWf afhtq)://www.eac.gov/\^VSG%20Voiumc_ILpdf (Last visited May 30, 2006). 

GAO Report, sierra note 77 at 35-36. 

108 Pqj. g complete descrqjdon of testing that a voting machine might be subject to, see 
Appendix E. 

Some voters sigp in but ne%«r vote (or finish v’oting). Thus, it might be possible to subtract 
votes from one candidate without alterity the poll books and stil! prevent the attack from being 
noticed. An attacker would be limited, however, in the number of votes she could subtract from a 
candidate without raising suspicion. 

In general, computer systems are programmed to record many activities that occur - 
including when they are started up, when they arc shut down, etc. A voting terminal could be pro- 
grammed to remember when it was started, shutdown, when it printed its zero tape, and the like. 
Such records are Event Logs or Audit I.iOgs. Ordinarily, tliese records could be helpful during a 
forensic analysis of voting systems after a suspected attack. 

^ ^ ^ This presupposes there is no paper record, or that if there is such a record, it is not 
reviewed. 

^ Acronym for “basic input/ output system.” The BIOS is the built-in software that resides 
on a Read Only Memory Chip (ROM) that determines what a computer can do without accessing 
programs fi^m a disk. Because the software is built-in to the machine, it is not subject to ITA inspec- 
tion, It could both (a) contain an attack program and (b) delete entries from an Audit Log that might 
otherwise record the attack. 

^ Independent investigators have already established that this is possible against multiple 
systems. As noted in the GAO Report, “Evaluations (liave sliown] that, in some cases, other comput- 
er programs could access ... cast vote files and alter them without the system recording this action 
in its audit logs.” GAO Report, supra note 77 at 25. See also Compuware Corporation, Direct Recording 
Electronic (DRE) Technical Security Assessment Report at 42, (Nov. 2003) (prepared for the Ohio Secretary 
of State), at http://www,sos.siatc.oh.us/sos/ha\'a/compuwarel 12103.pdf; Harri Hursti, The Black 
Box Report: SECURITY ALERT, Critical Security Issues with Diebold Optical Scan Design at 18 (July 2005), 
at htt{)://www.blackbo)cvoting.org/BBVrcport.pdf; Michael Shamos, UniLect Corporation PATRIOT 
Voting System: An Evaluation at 1 1 (Apr. 2005) (paper prepared for the Secretary of the 
Commonwealth of Pennsylvania) available at http://w’\vw.house.gov/science/hearmgs/et804/ 
jun24/ shamos.pdf. 

* Coordinating software attacks with paper records attacks is discussed in greater detail infra 
pp. 65-75. 

^ This assumes an audit of the votcr-verUIed paper record is conducted after voting is com- 
plete. 

^ It is possible that an attack program could instruct a DRE printer to cancel votes and print 
false paper records to match attacked electronic records. This points to the imfxjrtance of examin- 
ing cancellations on WTT printouts, as discussed irfra pp. 65-71. 

5a e.g, Kim Xcsxex. Did e-\bte Firm Patch Election?, Wired News Oct. 13, 2003 (noting that 
employee of voting machine wndor claimed uncertified software patches were sent to election offi- 
cials throughout Georgia to install just before the 2002 gubernatorial election) available at 
http;//www:wired.com/nev«/polttics/0,l283,60563,00.html; Andrew Orlowski, California Set to 
Rfect Diebold e-Votirg machines (Apr. 24, 2004 ) (noting that voting machine vendor sent software 
updtues to voting machines in California just two weeks before the Presidential Primaty' in that 
state) at http://www;thcregister.co.uk/2004/ 04/24/diebold_california. 



371 


ENDNOTES 105 


^ For a more detailed list of these potential attacks, as well as the steps and informed par- 
ticipant values assigned to them, see the “DRE without WPT Catalt^” Attack Qitali^ supra note 
20. 

* This summary borrows heavily from '"Trqjm Horse mDRE -OS” posted by Chris l-owe for 
the NIST Threat Analysis Workshop in Oct. 2005. A copy of that jxsting (which provides a more 
complete description of the attack) can be found at http://w)te.nist.gov/threat8/paper.s/ 
TrqjanHorse-DRE-OS.pdf. 

In fact, this is not a hypothetical scenario. We know that most voting systems run on com- 
mercially available operating systems. For instance, at least one major vendor runs its machines on 
a version of Miersoft Windows called “CE.” It is not difficult to ima^e that one of the vendors 
software developers could install such a Trojan Horse without detection. 

12 1 In this sense, tills attack would not require the as.sistance of an “imider,” sudi as a lead- 
ing state or county election official. 

^22 ^5 already discussed, such updates and patches are i^ued on a fairly regular basis. For 
instance, on Jan. 6, 2006, Microsoft Issued a patch to address a security flaw found in its operating 
.system. John Fontana, Microsoft Rushes out Patch for IVtndom Metafile Atladc, PC WoRl,D, Jan. 6, 2006 
availahle at http://w\vw.pcworld.com/news/artic!e/0, aid, 124246, OO.asp. 

^2^ This assumes dial the same DRE system is purchased by cv«ry county: Obviously, to the 
extent that the attackers wanted to attack more than one typo of DRE system, they might need 
additional participants in their conspiracy. 

^24 As already discussed, supra pp, 36-37, there arc many ways for an attacker to gain sudi 
knowledge. 

^25 Appendix G. 

126 Qf t-ourse, few states use a single make and model of machine in every county. But even 
if a single DRE model represented i in 3 of all machines in the state, the attacker would need only 
target those madiines and aim to switch between 4 and 6 votes per machine to affect tens of thou- 
sands of votes and change the results of the staceivide election. 

^22 In any event, even where code is subject to inspection, bad code can still get through. In 
separate instances in California and Indiana, election officials discovered that uncertified software 
had run on voting machines during elections. See Marian County Election Board Minutes (Emer^ncy 
Meeting) at 7-18, (April 22, 2004) (Indiana) available at hup://www.indygov.org/NR/ 
rdon]yrc8/emkiqfxphochfss2s5anfuxbgj3zgpkv557moi3rbr)f3ne44mcni2thdvoywyjcigyeoyk- 
wru53mopaa6kt2uxh7ofc/20040422.pdf; Office of the Secretary of State, Staff Report on the 
Investigation of Diebold Elections System, Inc. at 1-2 (Apr. 2004), (California) at http://www.ss.ca, gov/ 
elections/ks_dre_papcrs/diebold_report_april20_rinal.pdf. In one case, the discowry was made 
when a vendor employee told a County Clerk; in the other, the unccnified software v/as revealed 
during a statewide audit of machines. We do not surest that the software w’as instiled to change 
the results of elections. Nevertheless, the fact that uncertified software ran on voting machines dur- 
ing elections, in violation of reguiatioits and state law; demonstrates the difficulty of finding unde- 
sirable software on voting machines during inspection. 

^28 Exactly what should happen when I^ralicl Testing finds that tested machines arc mis- 
rccording votes is something that California (the only state to r^ulariy perform ptirallcl tests in the 
past) has not yet had to deal with. Obviously, merely finding corrupt softw'are on a tested machine 
without taking further action will do nothing to thwart a software attack. I^rallel Testing is much 
less likely to be an effective countermeasure if jiuisdictions do not haw in place dear procedures 
about what steps should be taken when the script and vote totals on a tested machine do not mateh. 

129 Ail of whom would have to be “insiders,” in the sense that they would have had to have 
been chosen by the State or consulting group performing the Parallel Testii^ 



372 


106 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


See discussion in Appendix G. 

Id. This assumes that Pennasota uses the same make and model DRE in ever)’ precinct. 

^ See calculations in Appendix G. 

133 ;^, 

^ 34 Interview wth Jocelyn Whitne)^ supra note 46. 

^3-“^ In feet, this is exactly how California has conducted its Parallel Testing: each ParaUel 
Testing team casts 101 wates. Id. 

^3^ This is because to swkch 51,891 votes, Trojan Horses will need to be activated on at least 
2883 machines. 

^37 See Appendix G. 

^38 Wc calculate that a minimum of 61 attackers would be needed to subvert Parallel Testing 
in this way. The attackers couH target 606 polling places in the three largest counties. It would be 
necessary for each attacker to get close enough to only ten polling places to transmit a wireless 
uistruction to tri^er the attack. 

^39 Another possibility is tliat the Parallel Testers may always record the same number of 
votes. In previous elections in California, exaedy lOi votes were processed during each Parallel 
Test. If the Trojan Horse is programmed to wait until the end of the election to switch votes, it 
could avoid all Parallel Testing by charing votes only where machines record more or less dian 
10 1 wtes by the end of Election Day. E-mail from Jocelyn Wliitncy (Jan. 2, 2005) (on file with the 
Brennan Center). 

An alternative solution to the problem of creating a script that mirrors actual voter pat- 
terns would be to select volunteers, or “real” voters, to vote on the tested machines. 'Phesc volun- 
teers would be asked to vote as tht 7 normally would: this might create more realistic voting patterns 
without a script, but it potentially raises other privacy issues. Wc are not avi^re of any jurisdiction 
that currently performs Parallel Testing in thb way. 

Supra note 135. 

^^2 E-mail from Office of the California Secretary of State to Eric L. I.,azaru8, Principal 
Investigator (Feb. 1, 2006) (on file with the Brennan Center). 

^^3 The IVnnasota governor’s race was designed to represent a closely contested statewide 
election. Our analysis shows that if a Trojan Horse were used to change just one vote per DRE, ilie 
result of the governor's race could be changed. In the case of such an attack, a successful Parallel 
Test would “detect” the misrecoiding of a single vote. Without a videotajie of the testing itself, this 
tnisrecording could easily be misattributed to human eiTor(i.(?,, accidental deviation from the sciipt), 
Even with video evidence, there may be a temptation to “explain away” such a discrepancy. 

^44 tfjtal for the Parallel Testing sec of countermeasures depends upon the ability of the 
attacker to create an Attack Program that can recognize if it is being tested. As already discussed, 
w'c believe that creating such an attack program w-otild be technically and financially challenging - 
or would require the involvement of someone who was invoKxd in or knew of the testing script - 
and haw therefore agreed that it would probably require l^vo additional conspirators. To the extent 
creating such an attack program is not feasible, the attack would require the subversion of at least 
58 testers (who might be considered “insiders”) to use a Ciy'ptic Knock to shut off the Trojan 
Horse; we believe dib would be very difficult to accomplish. 

^■^3 Ejj- a more detailed Ibt of these potential attacks, as well as the steps and informed par- 
ticipant values a.ss^^ed to them, see the "DRE w/WRE Catalog,” Attack Catalogs, supra note 20. 

146 There are other potential entry points for parameterization: wireless communications and 



373 


ENDNOTES 107 


Cr\-ptic Knocks could also contain commands that tdl machines wh«i and how to attack a 
ballot. 

Barbara Simmons, Ekctronic Vnting Systms: the Good, Ae Bad, and Ae Stupid, The National 
Academy of Sciences, Computer Science and Tedinotogies Board, at 7-8, aomlahk at htgi;// 
www7.nationalacademies.org/ cstb/project_evx3ting_simons.^3f (last vkited May 30, 2006). 

148 attack is similar in structure to Ron Harris's attacks against computerized poker and 
other gaining machines supra p. 33): an employee with access to wndor software, hardware or 
firmware, inserts the I'rojan Horse, which will not trigger until an accomplice sends commands. 

See Appendix G. Based upon interviews wiili election officials in Nevada, we ha\¥ con- 
cluded that DREs w/VVPT can handle slightly fewer voters per hour than DREs without WFE 
Accordingly we have estimated that Mega, Capitol and Suburbia county would have to have one 
DRE w/WPT for every 120 voters. 

Recounts, supra note 42 at 4. A few states, such as New H3tQ|»hire, liave laws that allow for 
ine^ensive, candidate initiative recounts. Attackers m^ht be less inclined to tat^et such states. The 
effect of these laws was not a subject of the lask force analyse. 

In fact, it would work exactly the same as any Software Attack Pnogram against DREs, 
except that it would also target the WPT lo ensure that the paper records matched the electronic 
records. 

jed Selker and Sharon Cohen, An Active Apptwtck to filling Verification at 2 CalTech/MIT 
Voting Technology Project {May 2005), at http://vote.caltecii.edu/mcdia/documcnts/wps/vtp_ 
wp28.pdf. 

Id. at 5. 

Given that many voters are likely to assume the mistake was their own, rather than the 
DRE’s, we arc skeptical that the number would be thb high. 

See Appendix G. 

1-^6 Supra, note 46. 

Telephone interview with Larry lomax, Registrar of Voters, Clark County, NV (Dec. 12, 

2005). 

There are 28,828 DREs w/VVTT in Pennasota. See Appendix CJ. 

As detailed in Appendix A, we believe 606 polling place.s (in the three largest counties) is 
the minimum number of polling places the attacker could taiget and have a reasonable amount of 
certainty that she could still change the outcome of the election. If the attacker targeted 606 polling 
places, there would be approximately 22 more paper cancellations in these polling places than 
woidd otherwise be expected (.13201/606=22). 

Appendix G. 

^ If the attackers intercepted 550 convoys, there would still be 56 polling places with mis- 
matching paper and electronic records. That represents roughly 0.2% of all polling places in the 
state. Under these circumstances, a 2% Automatic Routine Audit would still have a 66% cliancc of 
catching a mismatcli. See Appendix K. 

This is because our attackers seek to switch 51,891 votes. To a\x)id suspicion, diey have 
not switched more than 15% of votes on any single DRE w/WPT, which equals 18 (of 120} votes. 
51,891/18=2,883. 

{63 Ppj. JJJ 5 explanation as to why nearly all of the paper rolls would need to be replaced in 
order to haw a reasonable chance of avoiding detection during audit, see Appendix K. 

^ According to the Department of Defense, these seals can cest as litde as one or two cents 



374 


108 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


per seal; the Department of Defense estimates tisat for several models, it \vouiti take a knowledge- 
able and highly trained person ^ least several minutes to “defeat” each sea! and gain access to the 
ballots. Telephone interview by Eric L. lazarus with Mike Farrar, Department of Defense Lock 
Program, Etecember 15. 2005. After defeating the thousands of seals, attackers would have to find 
a way to rep)iace each one with a setd that looked exactly the same and contained the same unique 
number as the ori^ral. 

If the employee asrigned to guard the election materials are selected from a large pool of 
employees on-duty on election night, and if this selection process is done in a transparently random 
process just before the votCT-verified paper records arrive at tlie county warehouse, the attacker 
would need to co-opt almost aH of the larger pool to have a reasonable chance of co-opting the 
employees eventually chosen to ^jard the materials. This would make their task much more diffi- 
cult. 

Recounts, st^ note 42 at 5. 

167 With more than 1,000 voters in many polling places, the attackers could easily replace 
enough votes to ensure foat Johnny Adams overcame his loss. 

Gal. Elec. Code §I9253p)X2) (2006) provides that the “voter-t'crified paper audit trail 
shall govern if there is any difference between it and the electronic record during a one-% manual 
tally or full recount” 

Recounts, supra note 42 at 5. 

10 ILL. COMP. STAX 5/24C-15 (2003). 

^ Mn their 2(K)4 report. Recommendations of the Brennan Center for Justice & The Leadership Council 
on Civil Rights for Improving ReliabiHty of Direct Recording Electronic Voting Systems, [at http://www. 
brcnnancenter.org/programs/downloads/voting_systems_final_rccommendations.pdf), the 
Brennan Center and the Leadership Conference on Civil Rights recommended that jurisdictions 
hire independent security experts and create independent security ot'ersight panels to implement 
and oversee security measures. To the extent that jurisdictions have adopted these proposals, these 
groups could be present during any forensic investigation to increase its transparency. 

^^2 Where a state determines that electronic records should be given a presumption of 
authority, the reverse process would be followed: first investigate the electronic records for tamper- 
ing, then (if necessary) examine the paper records. 

^ This number depends upon whether the ballot definition file is created at the vendor or 
by individual counties. If the vendor crcatc.s the ballot definition flic for several counties in the state, 
die Trojan Horse can be inserted into the ballot definition flies of multiple counties from a central 
location. Where eacli county created its own ballot definition files, at least three informed partici- 
pants would be necessary (as we have assumed that a succe.ssfui attack in Pennasota would target a 
minimum of three coimties, three separate individuals with access to each county’s ballot definition 
files would be needed). 

^ A full catalog of the attach against PCOS that have been examined can be found in Attack 
Catalogs, supra note 20. 

* See supra notes 88 and 89. 

^ See supra note 89. 

* 'Die central tabulator b most often employed to perform ballot definition, copying of bal- 
lot definition to the memoiy cards (so that voter choice will be recorded accurately) as well as tab- 
ulation of voter choice. The central tabulator is a conventional Personal Computer with addition- 
al software added- Accordingly, it provides a convenient single point of attack which one can mod- 
ify all the print drivers fiom all the PCOS scanners in a single county. 

178 estimate is based upon a review of 19 contracts executed by counties around the 



375 


ENDNOTES 


109 


country for pui'chase of voting machines. Copies of these contracts are on file at the Brennan 
Ontcr. 

Appendix G. 

7% of 693 vTJtcs is 49 votes. If the Software Attack Pre^ram tainted 800 machines in tlic 
three largest counties, it could switch close to 40,000 votes. 

^ ® ^ See Assumptions in Appendix G; this a.ssumes the same make and mode! PCOS scanner 
was used tliroughout the state. 

182 Yhis is true with one important caveat: if the PCOS scannei^ had wireless components, 
or were in some other way connected to each other or a central location, atMitional attackers could 
circumvent Parallel Testing via a remote control command that tr^^red or superseded the attack. 

See supra pp, 49-50 (Representative “Least Difficult” Attack: Trqan Horse Inserted Into 
Operating System, DRE Attack Number 4) 

Specifically; in the 2004 Presidential Election, Central Count Optical Scans had a resid- 
ual vote rate of 1.7%, compared to just 0.7% for PCOS. In counties with African-American pop- 
ulations of greater than 30%, the residual vote rate for Central Count was 4.1%, and for PCOS 
just 0.9%. Lawrence Norden, et al, “Votit^ System UsabiHfy'*' m The M-vCHlNFJty OF Democracy 
(Brennan Center for Justice ed., fodheomingjuiy 2006). 

‘86 n.Y Ei,r,c. Law § 7-202 (2006); Mkn. Sw, Ann'. § 206,845 (2005). 

‘8“ Secretary of State for the State of California, DtcerUJkalion and Withdrawal of Appmal of 
Certain DRE luting ,^stems and Conditional Approval of the Use of Certain DRE Iblii^ System, at 7 (Apr. 30, 
2004) available at hetp://www.ss.ca.gov/eU!ctioris/ks_dre_papcrs/decertI.pdf. (“No component of 
the [DRE] voting system shall include the hardware necessary to permit wireless communications 
or wireless data transfers to be transmitted or received.”) 

^88 Among them are ES&S and Win Vote. &«, Jay Wrolstad, Florida Invests $24m in Wireless 
Voting Machines, MOBILE TECH Today (Jan. 31, 2002) at http://www.wirelessncwsfactor. 
com/pcrl/story/I6104,html; Blake Harris, .d Vole for l/u Future, CovERN'MENT Tfxihnoixxjy 
Magazine (Aug 29, 2003) at http://www.govtech.nct/magazine/siory.php?id=6l857&issue 
=8:2003, 

See, Krebs supra note 76 (“A previously unknown flaw in Microsoft’s Wintlows operating 
system is leaving computer users vulnerable to spyware, viruses and other programs that could over- 
take their machines. . . .”). 

^^0 Maryland, which does not require voter-verified paper records, also performs Election 
Day Parallel Testing The 12 .states that perform must conduct audits of their voter-verified paper 
records after every election are: AK, GA, CO, CT, HI, 11.., MN, NM, NC, NY, W'A, and WV 

*9* The 26 states are; AK, CA, CO, CT, HI, ID, IL, ME, Ml. MN, MO, MT, NC, NH, NJ, 
NM, NV, NY, OH, OR, SD, UT, VT WA, \V1, and WV 

Laws providing for inexpensive candidate-initiated recounts might also add security for 
voter-verified paper. The Task Force did not examine such recounts as a potential countermeasure. 

Some DREs and DREs w/\'\''PT may be designed so that they cannot function unless 
they are coiuiecled to one another. Election officials should discuss this question with voting system 
vendors. 

1 9'f Two other states, West Virginia and Maine, ban networking of machines without banning 
wireless components themselves. Banning the use of wireless components {even when tliat involves 
disabling them), rather than requiring removal of thew components, still leaves voting systenvs unnec- 
essarily’ insecure. 



376 


110 THE MACHINERY OF DEMOCRACY: PROTECTING EtECTIONS IN AN ELECTRONIC WORLD 


See, ReamnmndaHom of AeBraman Center fn Justice and the Leadership Conference on Civil Rights 
for Improving ReSabUitf of Direct Recording Electrmdc Voting Systems (2004), http:/ /w'ww.breiinancenter. 
org/programs/downloa(fe/votiiig_systefiis_final_recommendations-pdf (recommending diac juris- 
dictions liire independent security experts and create independent security oversight panels to 
implement and oversee seorrity measures). Independent security experts and oversight panel mem- 
bers should be presort during any forensic investigation, to increase its transparency. 

i 96 When a state determine Aat electronic records should be given a presumption of author- 
ity the reverse process should be followed; first investigate tire electronic records for tampering, then 
(if necessary) examine tire paper records. 

As previously discussed, to ensure the robustness of our findings, we ran our analysis 
against the results of the 2004 presulcntiai race in Florida, New Mexico and Pennsylvania. 

Many' of these definitions are supplemented by text in the report and Appendices. 

/?ecoanfa, .rapra note 42 at 3. 

200 Pqj. further discu^on of inspection and testing performed on voting machines, see 
Appendix E. 

NIST’s Ghssaiy of U.S. Voting Systems, at http://xw2k.sdct.itl.nist.gov/lynnc/ 
votingfto j/main.asp (I..ast visited June 10, 2006). 

National Security Tclccommunicatbns and Information Systems Security Committee, 
NSA JIational IifiTmation Systems Securi^ (LATOSECj Glossary, NSTISSINo. 4009, at 49 (June 5, 1992), 
available at http://www.cultural.com/web/securlty/infosec.glossar>'.html. 

For a detailed discussion of a history of fraud against paper-based systems through ballot 
stuffing, vote buying and other methods, see HARRIS, supra note 9. 

204 -phig Appendix is largely borrowed from Douglas Jones’s “Testing Voting Machines,” part 
of his Machines Web Pages, which can be found at hup:/ /www.cs, uiowa.edu/ 

~jones/voting/iesting.shtml (Last visited June 10, 2006). Wc thank Professor Jones for permission 
to use this material. 'I’his material is based upon work partially supported by the National Science 
Riundation under Grant No. CNS-052431 (ACCURATE). Any opinions, findings or recommen- 
dations expressed in this material arc those of the author and do not necessarily reflect the views of 
the National Science Foundation. 

20o importance of making sure that observer/participant understand how the random 
numbers arc to be used is amusingly illustrated in the magic special: Penn & Teller: Off' the Deep End 
(NBC television broadcast, Nov 13th, 2005). In this program an unsuspecting individual is fooled 
into thinking that the magicians could figure out in advance what card he or she will select because, 
no matter what card is selected, the magicians can point to its representation somewhere on the 
beach. The humorous approach here is that all 52 playing cards were set up in interesting ways on 
the beach to be revealed. A magician opened his coat for one card, tv,'o kids in the water held up 
their rafts to form a card, a sunbaiher turned around with a card painted on her back, cards were 
found inside of a potted plant and coconut, etc 

206 Based on the parameters we have set for our election in Pennasota, this would be enough 
machints to swing the election betvreenjefi'erson and Adams. Going back to tlic assumptions made 
in this report; the attacker wU! not want to create a swing of more than 15% on any machine; there 
arc 125 votes recorded per machine; this means the attacker will not want to switch more than 
1 6. 75 votes per machine; if her program attacks 2883 machines, she w’ill switch 54,0.56 votes, more 
than the 51,891 “target” votes to switch listed in Appendix G. 

267 Again, this assumes that the .same make and model DRE is used in the entire state. For 
suggestions on how to perform Parallel Testing when tltere are several models of DRE in use in the 
state, see page 88 in this report. 



377 


20® Iliinois law provides an example of how to make forensic inv^stigatjons transparent; in the 
event investigations follov.'iitg a discrepancy revealed in an audit of paper records, the S^c Board 
of Elccrions, State’s Attorney or ocher appropriate law enforcement agencies, the county leader of 
each established political party in the affected county or counties, and qualified civic organizations 
be given prior written notice of the time and place and be invited to observe. 10 ILL. COMP 
STAX 5/24C-15 

209 lUinois provides an example of one w^y to increase the transparency of the inves- 

tigation: the State Board of Elections, Stale’s Attorney or other appropriate law enforcement agen- 
cies, the county leader of each established political party in the affected count)’ or counties, and 
qualified civic organizations are given prior written notice the time and place of all forensic 
investigations of machines or paper and are invited to ob^rw. 



378 


112 


APPENDIX A 

ALTERNATIVE THREAT ANALYSIS MODELS CONSIDERED 

Measuring the complexity of the trusted computing base. 

Before adopting the threat model discussed in this report, the Task Force consid- 
ered other potential methods of analysis, including measuring the complexity of 
the trusted computing base. In computer security terminology, the trusted comput- 
ing hose {the “IXIB”) is the “totality of protection mechanisms within a comput- 
ing sj'stcm including hardware, firmware and software, the combination of which 
is responsible for enforcing a security poHcy.”^^^ 

For many Task B3rce members, evaluating the complexity f)f the TCB was an 
attracth^ method for evaluating the relative security of different voting systems. 
In essence, this methodology would look at how “complicated” the trusted com- 
puting base of each system was by reviewing code and other technological com- 
plexities. The more complex the TCB, the more likely that it could be attacked 
without notice. 

We quickly realized that this was not a satisfactory way to analyze the relative 
security of systems. If we only looked at the complexity of the voting system I’CB 
in analyzing its vulnerabilities, we would come to some very strange conclusions 
and ignore some important historical lessons about election fraud. For instance, 
under this system of analysis, the hand counting of ballots would carry no risk 
(there would be no TCB under this system). In fact, as election officials know all 
too well, pure paper elections ha\e repeatedly shown themselves to be vulnerable 
to election fraud.^^ 

While it may be wise to minimize the total amount of technology we “trust” in 
elections, as a method for assessing the strength of a voting system and identifying 
potential weaknesses, it does not appear to provide a useful means of analysis. 

Counting points of vulnerability. 

A related methodology would be to look at the points of \ailncrability within a 
system. At first blush, this also appeared to be an attractive method for a securi- 
ty analysis. Obviously, we would lUce to minimize the ways that an attacker might 
compromise an election. It is easier to guard one door than a thousand. 

As a practical matter, however, it did not appear to be a very good way to prior- 
itize threats, or identify vulnerabilities that election officials should be most wor- 
ried about. Obviously a s>^tem with three highly vulnerable points that are 
impossible to protect is not preferable to a system with four small points of vul- 
nerability that are easy to protect. 



379 


APPENDIX A 


Examining Adherence to NIST Risk Assessment Controls. 

This model would compare voting systems with guidelines established in NiST 
Special Publication 800-30, Risk Management Guide for Information 
Technology Systems. Special Publication 800-30 provides a generic mediodology 
for examining, assessing, and mitigating risk. However, it does not specifically 
address threats and \mlnerabilities unique to the voting environment for this rea- 
son, the Task Force rejected it as a basis for establishing a votii^ sy’stems threat 
analysis model. 



380 


114 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


APPENDIX B 

VOTING MACHINE DEFINITIONS 

Direct Recording Electronic Voting Machine 

A Direct Recording Electronic (“DRE”) voting machine directly records the 
voter’s selections in each race or contest. It does so via a ballot that appears on a 
display screen. Typical DRE machines have flat panel display screens with touch- 
screen input, although other display technologies have been used (this includes 
paper and push button displays). The defining characteristic of these machines is 
that w)tes are captured and stored electronically. 

Software is updated in DRE systems via various methods, specific to each voting 
system. In general, software updating involves someone (usually a technician or 
election official representative) installing new software over older software using 
whatever medium the DRE uses to transport votes (sometimes, it is done using 
laptop computers, using special software provided by vendors). 

Examples of DRE ^sterns include: Hart InterCivk’s eSlate, Sequoia's A VC Edge, ES&S’s 
iVotronk, Diebold AccuVote-TS md AccuVote-TSX, AVS WinVote and UniLect Patriot. 

Direct Recording Electronic Voting Machine with Voter- Verified 
Paper Trail 

A Dii'ect Recording Electronic Voting Machine with Voter- Verified Paper Trail 
(“DRE w/\'VPT’) is a DRE that captures a voter’s choice both (1) internally in 
purely electronic form, and (2) contemporaneously on paper, as a voter-verified 
record. A DRE w/WPT allows the voter to view and confirm the accuracy of 
the paper record. 

Examples of DREy<ifWPT include: AccuPoll, AuanteVote-Tracker EVC-308SPR, Sequoia 
VeriVote with Printer attachment, TruVote and Diebold Accuview with WPT Printer attach- 
ment. 

Precinct Count Optical Scan 

Precinct Count Optical Scan {“PCOS”) is a voting system that allows voters to 
mark paper ballots, typically with pencils or pens. Voters then carry their ballots 
(sleeved or otherwise protected so that others cannot see their choices) by hand to 
a scanner. At the scanner, they un-sleeve the ballot and insert it into the scanner, 
which optically records the vote. 

Examples of PCOS include: Avante Optical Code Tracker, ES&S Model 100, Sequoia or 
ES&S Opleck 11~P Ea^, Diebold AccuVote-OS. 



381 


APPENDIX C 


APPENDIX C 

ALTERNATIVE SECURITY METRICS CONSIDERED 

Dollars Spent 

The decision to use the number of informed participants as the metric for attack 
level difficulty came after considering several other potential metrics. One of the 
first metrics we considered was the dollar cost of attacks. This metric makes sense 
when iookiiig at attacks that seek financial gain - for instance, misappropriating 
corporate funds. It is not rational to spend $ 1 00,000 on the misappropriation of 
corporate funds if the total value of those funds is $90,000. Ultimately, we reject- 
ed this metric as the basis for our analysis because the dollar cost of the attacks 
we considered were dwarfed by (1) current federal and state budgets, and (2) the 
amounts currently spent legally in state and federal political campaigns. 

Time of Attack 

The relative security of safes and other safety measures are often rated in terms 
of “time to defeat.” This was rejected as metric of difficulty because it did not 
seem relevant to voting s)^tems. Attackers breaking into a house are concerned 
with the amount of time it might take to complete their robbery because the 
homeowners or police might show up. With regard to election fraud, many 
attackers may be willing to start months or years before an election if they believe 
they can control the outcome. As discussed supra pp. 33-47, attackers may be con- 
fident that they can circumvent the independent testing authorities and other 
measures meant to identify attacks so that the amount of time an attack take.s 
becomes less relevant. 



382 


THE MACHINERY OF DEMOCRACY: PROTECTiNG ELECTIONS IN AN ELECTRONIC WORLD 


APPENDIX D 

BRENNAN CENTER SECURITY SURVEY 

1 . Do )rT)u request that your responses remain anonymous? 

□ yes □ notnet^^ary 

2. W^al type of machme(s) did you use in the last election (please indicate make, 
model and type)? And do you exp>ect to use different machines within the 
next two )^ars {if indicate which new machines you expect to use)? 

3. Does your jurisdiction provide voters with sample ballots before Election 
Day? 

4. What security measures does your jurisdiction take related to the storage of 
voting machines? 

a. Are machines stored in a secure location? If so, in what type of location 
are they stored and how are they made secure? 

b. Are there tamper*evident seak placed on machines? II' so, when are they 
placed around machines? When are they taken off? 

c. Is invenioiy' of machines taken at any time between elections? 

d. Other security measures during storage? If so, please detail these secu- 
rity measures. 

5. What security measures does your jurisdiction take when transporting 
machines to polling place? 

a. How and by whom are the machines transported? 

b. How long between transportation and use on Election Day? 

c. Other security measures during transportation? If so, please detail these 
security measures. 

6. What, if any, testing is done to ensure that the machines are properly record- 
ing and tallying votes (“Logic and Accuracy Testing”) of machines prior to or 
on Election Day? If testing is done, please detail who docs testing and how 
it is done. 



383 


APPENDIX D 


7. What, if any, security measures do wu take on Election Day immediately 

prior to opening polls? 

a. Inventory of machines, parts (please indiczue which parts)? 

b. Check dock on machines? 

c. Check ballots to ensure correct precinct? 

d. Record number of ballots? 

e. Print and sign zero tape? 

f. Other security measures immediately prior to opening polls? If so, 
please detail these security measures. 

8. What, if any, security measures do you take during the period in which polls 

are open? 

a Entry and exit of each voter to/from polling place recorded in poU 
books? 

b. If you use DRE with paper trail, is each voter encouraged to verify the 
accuracy of the paper receipt? If so, how? 

c. If machine is OpScan, is anything done to ensure that overvote protec- 
tion is not turned off manually? If so, what is done? 

d. If machine is OpScan, is there a stated/written policy for how poll work- 
ers should deal with a ballot that is rejected by the machine because of 
an overvote? If so, what is that policy? 

e. If you use DRE with verified paper trail or OpScans, how is ballot/paper 
stored after votes have been cast on Election Day? 

f. If there are ballots or machine produced paper, what is done with 
“spoiled” ballots/paper? 

g. Other security measures taken on Election Day? If so, please detail these 
security measures. 

9. What if any security measures are taken at close of Section Day? 

a. If you have cartridges with ballot images, are these collected to ensure 
that number of cartridges matches number of machines? 



384 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


b. Are numbers of blank and spoiled ballots determined? 

c. Do poll workers sign ballot tapes? If so, when? 

d. How are vote tallies in polling place reported to central office {e.g., phone, 
modem, other method)? 

e. WTiat me^ures are taken to ensure that polling place vote tallies are 
accurately recorded at central office? 

f. What is done with (i) machine cartridges, (ii) machine tapes, and (iii) poll 
books at close of election? Are tliese placed in a secure location? If so, 
hotv do you make placement secure please answer separately for each)? 

g. What measures are taken to ensure that valid provisional ballots are 
accurately counted and secured for potential recounts? 

h. If you use OpScan or DRE widi a verified paper trail, what is done with 
these ballote/papers at close of Election Day? 

i. Is there any public posting of polling place tallies by individual polling 
places {other than report to central office)? If so, where is this posting 
made? 

j. Wliat is done with machines at close of the polls, after votes have been 
counted? 

k. Other security measures after close of Election Day? If so, please detail 
these security measures. 

10. The Brennan Center is currently conducting research about voting machme.s 
in a variety of areas, including voting machine security. We would very much 
like to have the insights of election officials, who understand the practical 
concerns of running an election and ensuring that it is conducted as secure- 
ly as possible. 

We may want to follow up by telephone or e-mail to ask about your responses. 

Would you have any objection to this? 

County, State: 

Name/Title: 

Phone/ e-mail; 

Best time to follow up: 



385 


APPENDIX E 


APPENDIX E 

VOTING MACHINE TESTING 

An Overview of Voting Machine Testing^ 

Voting s)^tems are subjected to many tests over their lifetimes, beginning with 
testing done by the manufacturer during development and ending on Election 
Day. These tests are summarized below, along with a brief description of the 
strengths and weaknesses of each test. 

^ Internal testing at the vendor 

B? Independent Testing Authority certification 

“ii:! State qualification tests 

Tests conducted during contract negotiation 

Acceptance Testing as delivered 

Pre-election (Logic and Accuracy) testing 

3'^: Testing as the polls are opened 

3 Parallel Testing during an election 

iS) Post-election testing 

Internal Testing at the Vendor 

All responsible product developers intensively test their products prior to allow- 
ing any outsiders to use or test tliem. The most responsible software development 
methodologies ask the s>^tem developers to develop suites of tests for each soft- 
ware component even before that component is developed. The greatest weak- 
ness of these tests i.s that they are developed by the system developers themselves, 
so they rarely contain surprises. 

Independent Testing Authority Certification 

Starting with the 1990 FEC/NASED standards, independent testing authorities 
(ITAs) have tested voting systems, certifying that these systems meet the letter of 
the “voluntary” standards set by the federal government and required, by law, in 
most states. Several states, such as Florida, that impose additional standards con- 
tract with the same labs to test to these stronger standarck. 

The ITA process has two primary weaknesses: First, the standards contain many 



386 


120 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


specifics that are easy to test objectively (the software must contain no “naked 
constants” other than zero one) and others that are vague or subjective (the 
software must be well-documented). The IlAs are very good at testing to the spe- 
cific objective requirements, but where subjective judgment or vague require- 
ments are stated, the testing is frequently minimal. 

Second, there are many requirements for voting systems that are obvious to 
observers in retro^ct but that are not explicitly written in the standards {e.g., 
Precinct 216 in Volusia County, Florida reported -16,022 votes for Gore in 2000; 
prior to this, nobody thought to require that all vote totiils be positive). The ITA 
cannot be expected to anticipate all such omissions from the standards. 

Finally the ITA tests are almost entirely predictable to the developei s, as with the 
v'endor’s internal testing Barring outright oversights or carelessness on the part of 
the vendor, and these do occur, and barring the vendor’s decision to use the ITA 
process in lieu of an extensive internal testing program, the ITA testing can be 
almost proforma. Catching carelessness on the part of the vendor and offering a 
guarantee that minimal standards have been met are sufficiently important that 
the ITA process should not be dismissed out of hand. 

State Qualification Tests 

While some states allow any voting system to be offered for sale tha t has been cer- 
tified to meet the “voluntary” federal standards, many states impose additional 
requirements. In these states, vendors must demonstrate that they have met these 
additional standards before offering their machines for sale in that state. Some 
states contract out to the ITAs to test to these additional standards, some states 
have their own testing labs, some states hire consultants, and some states have 
boards of examiners that determine if state requirements are met. 

In general, there is no point in having the state qualification tests duplicate the 
ITA tests. There is considerable virtue in ha\Tng state tests that are unpredictable, 
allowing state examiners to use their judgment and knowledge of the shortcom- 
ings of the ITA testing to guide their tests. This is facilitated by state laws that give 
the board members die right to use their judgment instead of being limited to 
specific objective criteria. GeneraUy, even w'hcn judgment calls are permitted, die 
board cannot reject a machine arbitrarily, but must show that it \aoiates some pro- 
vision required by state law. 

State qualification testing should ideally include a demonstration that the voting 
machine can be configured for demonstration elections that exercises all of the 
distinctive features of that state’s election law, for example, straight party voting, 
ballot rotation, correct handling of multi-seat races, and open or closed primar- 
ies, as the case may be. Enough ballots should be voted in these elections to ver- 
ify that the required features are present. 



387 


APPENDIX E 


Tests Conducted During Contract Negotiation 

When a jurisdiction puts out a request for bids, it will generally allow the finalists 
to bring in systems for demonstration and testing. It is notevwnthy that federal 
certification and state qualification tests determine whether a machine meets tlie 
legal requirements for sale, but they generally do not address any of the economic 
issues associated with voting system use, so it is at this time that economic issues 
must be evaluated. 

In addition, tire purchasing jurisdiction (usually the county) has an opportunity, 
at this point, to test the myriad practical features that are not legislated or written 
into any standards. As of 2004, neither the FEC/N.A,SED standards nor the stan- 
dards of most states address a broad range of issue.s related to usability, so it is 
imperative that local jurisdictions aggressively use the system, particularly in 
obscure modes of use such as those involving handicapped access (many blind 
voters have reported serious problems with audio ballots, lor example). 

It is extremely important at this stage to allow the local staff who will administer 
the election system to participate in demonstrations of the administrative side of 
the voting s)^tem, configuring machines for mock elections characteristic of the 
jurisdiction, performing pre-election tests, opening and dosing the polls, and can- 
vassing procedures. Generally, neither the voting system standards, nor state qual- 
ification tests address qttestions of how easy it is to achninistcr elections on the 
various competing systems. 

Acceptazice Testing as Delivered 

Each machine delivered by a vendor to the jurisdiction should be tested. Even if 
the vendor has some kind of quality control guarantees, these are of no value 
unless the customer detects failures at the time of delivery. At a minimum, such 
tests should include power-on testing and basic user interface tests {e.g., do all the 
buttons work, does the touch-screen sense touches at all extremes of its surface, do 
the paper-feed mechanisms work, does the uninterruptible power supply work). 

By necessity, when hundreds or even thousands of machines are being delivered, 
these tests must be brief, but diey should also mciude checks on the software ver- 
sions installed (as self-reported), checks to see that electronic records of the serial 
numbers match die serial numbers affixed to the outside of the machine, and so on. 

It is equally important to perform these acceptance tests when machines are 
upgraded or repaired as it is to perform them when the machines are delivered 
new, and the tests are equally important after in-house servicing as they are <ifter 
machines are returned from the vendor’s premises. 

Finally, when large numbers of machines are involved, it is reasonable to perform 
more intensive tests on some of them, tests comparable to the tests that ought to 
be performed during qualification testing or contract ne^tiation. 



388 


122 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Pre«£lection (Logic and Accuracy) Testing 

Before eacli election, every voting machine should be subject to public testing. 
This is fi^uently described as liOgic and Accuracy Testing or simply I.&A 
Testings a term that is more appropriate in the realm of punch-card and mark- 
sense ballot tabulating machines than in the realm of direct recording electronic 
systems, but the term is used widely, and in many states, it is enshrined in stale 
law 


The laws or administrative rules governing this testing vary considerably from 
state to state. Generally, central-count paper ballot tabulating machinery can be 
subject to more extensiv^e tests than voting machines, simply because each coun- 
ty needs only a few such machines. Similarly precinct-count paper ballot tabu- 
lating machinery, with one machine per precinct, can be tested more intensively 
than voting machines, which may number in the tens per precinct. 

An efFectiw test should verify all of the conditions tested in Acceptance Testing, 
since some failures may have occurred since the .systems arrived in the warehouse. 
In addition, the tests should verify that the machines are correedy configured for 
the specifics of this election, with the correct ballot information loaded, includ- 
ing the names of all applicable candidates, races and contests. 

The tabulation system should be tested by recording test voles on each machine, 
verifying that it is possible to vote for each candidate on the ballot and that these 
votes are tabulated correctly all the way through to the canvass; this can be done, 
for example, by casting a different number of votes for each candidate or issue 
position in each race or contest on the ballot. 

When muluple machines arc configured identically, this part of the test need only 
be performed m full and manually on one of the identical machines, while on the 
others, it is reasonable to simplify (he testing by verifying that the other machines 
are indeed configured identically and then using some combination of automat- 
ed self-test scripts and simpEfied manual testing. 

For mark-sense voting systems, it is important to test the sensor calibration, veri- 
fying that the vote detection threshold is appropriately set between a blank spot 
on the ballot and a dark pencil mark. The calibration should be tested in terms 
of pencil marks even in jurisdictions that use black markers because it is inevitable 
that some voters will use pencils, particularly when markers go dry in voting 
booths or when ballots are voted by mail. One way to judge the appropriateness 
of the threshold setting is to see that the system distinguishes between hesitation 
marks (single dots made by acx^identally resting the pencil tip on a voting target) 
and X or checkmarks, since the former are common accidents not intended as 
votes, and most state laws allow' an X or check to be counted as a vote even 
though such minimal marks are never recommended. 



389 


APPENDIX E 


123 


For touch-screen voting systems, it is important to test the touch-screen calibra- 
tion, verifying that the machine can sense and track touches crv^ the entire sur- 
face of the touch-screen. Typical touch-screen machines have a calibration mode 
in which they either display targets and ask the tester to touch them with a stylus, 
or they display a target that follows the point of the stylus as it is slid around the 
screen. 

For voting systems wath audio interfaces, this should be chedced by casting at least 
some of the test ballots using this interface. While doing this, the volume control 
should be adjusted over its full range to verify that it w’orks. Similarly, where mul- 
tiple display magnifications are supported, at least one test ballot should be voted 
for each ballot style using each level of magnification. Neither of these tests can 
be meaningfully performed using automatic self-testing scripts. 

The final step of the preselection test is to clear the voting machinery; setting all 
vote totals to zero and emptying the physical or electronic ballot boxes, and then 
sealing the systems prior to their official use for the election. 

Ideally, each jurisdiction should design a pre-election test that, between all tested 
machines, not only casts at least one vote per candidate on each machine, but also 
produces an overall vote total arranged so that each candidate and each yes-no 
choice in the entire election receives a different total. Designing the test this way 
verifies that votes for each candidate are correctly reported as being for that can- 
didate and not switched to other candidates. I’his will require voting additional 
test ballots on some of the machines under test 

Pre-election testing should be a public process. This means that the details and 
rationale of the tests must be disclosed, the testers should make themselves a\’ail- 
able for questioning prior to and after each testing session, representatives of the 
parties and campaigns must be invited, and an effort must be made to make space 
for additional members of the public who may wish to observe. This requires that 
testing be conducted in facilities that offer both adequate viewing areas and some 
degree of security. 

It is important to assure that the voting machine configuration tested in the pre- 
election tests is the same configuration used on Election Day. Ixiading new soft- 
ware or replacing hardware components on a voting machine generally requires 
the repetition of those pans of the pre-election tests that could possibly depend 
on the particular hardware or software updates that were made. 


Testing as the Polls are Opened 

Prior to opening the polls, every voting machine and vote tabulation sy^stem 
should be checked to see that it is still configured for the correct election, includ- 
ing the correct precinct, ballot style, and other applicable details. This is usually 
determined from a startup report that is displayed or printed when the system is 
powered up. 



390 


124 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


In addition, the final step before opening the polls should be to verify that the bal- 
lot box (whether ph^cal or virtual) is empty; and that the ballot tabulation sys- 
tem has all zeros. Typically, this is done by priming a zeros report from the 
machinery. Ideally, this zerc» report should be produced by identically the same 
software and procedures as are used to close the poUs, but unfortunately, outside 
observers without access to the actual software can verify only that the report 
itself looks like a poll closing report with all vote totals set to zero. 

Some elemente of the acceptance tests will necessarily be duplicated as the polls 
are opened, since most computerized voting systems perform some kind of 
power-on self-test. In some jurisdictions, significant elements of the pre-election 
test have long been conducted at the polling place. 

Observers, both partisan observ'crs and members of the public, must be able to 
observe all polling place procedures, including the procedures for opening the 
polls. 


Parallel Testing During an Election 

Parallel Testing, also known as election-day testing, involves selecting voting 
machines al random and testing them as realistically as possible during the peri- 
od that votes are being cast. The fundamental question addressed by such tests 
arises from the fact that pre-election testing is almost always done usitig a special 
test mode in the voting system, and corrupt software could potentially arrange to 
perform honesdy while in test mode while performing dishonestly during a real 
election. 

Parallel Testing is particularly valuable to address some of the security questions 
that have been raised about Direct Recording Electronic voting machines (for 
example, touch-screen voting machines), but it is potentially applicable to all elec- 
tronic vote counting systems. 

It is fairly easy to enumerate a long list of conditions that corrupt election soft- 
ware could check in order to distinguish betw'een testing and real elections. It 
could check the date, for example, misbehaving only on the first Tuesday after the 
first Monday of Novcmb<‘.r in even numbered years, and it could test the letigth 
of time the polls had been open, misbehaving only if the polls were open for at 
least 6 hours, and it could test the number of ballots cast, misbehaving only if at 
least 75 were encountered, or it could test the distribution of votes over the can- 
didates, misbehaving only if most of the votes go to a small number of the can- 
didates in the vote-for-one races or only if many voters abstain from most of the 
races at the tail of the ballot. 

Pre-set vote scripts that guarantee at least one vote for each candidate or that 
guarantee that each candidate receives a different number of votes can be detect- 
ed by dishonest softwsffe. Therefore, Parallel Testing is best done either by using 



391 


APPENDIX E 


125 


a random distribution of test votes generated from polling data representative of 
the electorate, or by asking real voters to volunt^r to help tot the s^tem per- 
haps asking each to flip a coin to decide secretly whether they will vote for the 
candidates the>^ like or for the candidates they think dieir neighbor likes). 

It is important to avoid the possibility of communicatii^ to the system under test 
any information that could allow the most corrupt possible software to leam that 
it is being tested. Ideally, this requires that the particular machines to be tested be 
selected at the last possible moment and then opened for voting at the normal 
rime for opening the polls and closed at the normal time for closing the polls. In 
addition, mechanical vote entiy^ should not be used, but real people should vote 
each test ballot, with at least two observers noting either that the test script is fol- 
lowed exactly or noting the choices made. (A video record of the screen might be 
helpful.) 

Parallel Testing at the polling place is a possibility. This maximizes exposure of 
the testing to public observation and possibly to public participation, an impor- 
tant consideration because the entire purpose of these tests is to build public con- 
fidence in the accuracy of the voting system. 

However Parallel I’esting is conducted, it is important to guard against any po.s- 
sibility of contamination of the official canvass with ballot data from voting 
machines that were subject to Parallel Testing By their very nature, these votes 
are indistinguishable from real voles, except for the fact that they came from a 
machine under test;. Therefore, physical quarantine of the vote totals from the 
Parallel Testing is essential. Use of a dilferent color for paptir in the printer under 
test, use of distinctively colored data cartridges, warning streamers attached to 
cartridges, and similar measures may ail be helpful. In addition, if the serial num- 
ber of the voting machine is tied to its votes through the canvass, a check to make 
sure that the serial numbers of the machines under Parallel Testing do not appear 
in the canvass is obviously appropriate. 

If polling places are so small that there is no room to select one machine from the 
machines that were delivered to that polling place, it is possible to conduct 
Parallel Testing elsewhere, pulling machines for testing immediately prior to 
delivery to the polling place and setting them aside Ibr testing. In that case, it is 
appropriate to publish the location of the testing and invite public observation. 
Casual drop-in observation can be maximized by conducting the tests near a 
polling place and advertising to the voters at that polling place that they can stop 
by after voting to watch or perhaps participle. 

Post-election Testing 

Some jurisdictions require routine post-election testing of some of the voting 
macJiinery, to make sure that, after the canvassing process was completed, the 
machinery is stOl working as well as it did before the election. Generally, these 



392 


126 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


tests are very similar to pre-election or Logic and Accuracy lesting. 

Clearly, where the machines themselves hold the evidence of the vote count, as 
with mech^cal lever voting machines or direct recording electronic voting 
machines, thU evidence mvKt not be destroyed until law and prudence agree that 
it is no longer relevant to any potential legal challenge to the election. 

In the event of a recount, all of the pre-election tests that do not involve possible 
destruction of the votes being recounted must be repeated in order to assure that 
the machinery used in the recount is operating correctly. 



393 


APPENDIX F 


127 


APPENDIX F 

EXAMPLE OF 

TRANSPARENT RANDOM SELECTION PROCESSES 

A transparent random selection is one where members of the public can verify 
that, at the time of the choice, all selections were equally probable. Here are two 
examples of (reasonably) transparent random choice methods. There are many 
variations on these methods. 

Method A: Each member of a group of individuals representing diverse interests 
chooses a random number (by any method) in a specified rar^e L.JVand writes 
it down on a slip of paper. After each participant has chosen a number, the num- 
bers are revealed to all and added. They are then divided by and the “integer 
remainder” is the number that is chosen (this is known ui mathematics as the 
“modulo”). 

The best way to understand this is by example. Little Pennasota County has 9 
machines (labeled “I” througli “9”) and wants to select one of these machines to 
Parallel Test. They want to ensure that the machine is chosen at random. To do 
this, they bring together several participants: a member of the League of Women 
Voters, the Democratic-Republicans, the Federalists, the Green Party, and the 
Libertarian Party. Each person is asked to select a number. The League of 
Women Voters’ representative selects the number 5, the Democratic-Republican 
chooses 6, the Federalist chooses 9, die Green chooses 8 and the Libertarian 
chooses 9. These numbers are then revealed and added: 5+6+9+8+9=37. They 
are then divided by 9. The integer remainder is 1, because 37 is divisible by 9 four 
times, with an integer remainder of I (or, 36 + 1). In this scenario, machine num- 
ber 1 is chosen. 

Any member of the group can assure the result is not “fixed” by the others. In 
the example above, all of the political parties might want to conspire to ensure 
that machine number 2 is picked for Parallel Testing. However, the League of 
Women Voters representative will prevent them from being able to do this: with- 
out knowing what number she is going to pick, they cannot know what the inte- 
ger remainder will be. 

Method B: Color-coded, transparent 10-sided dice are rolled (in a dice cup) in 
public view. The digits on the top faces of the dice are read off in a fixed order 
determined by the colors {e.g., first red, then white, then blue). This yields a ran- 
dom 3-digit number. If the number is out of the desired range, it is discarded and 
the method performed again. 

Note about traztsparently random selection process: 

For a transparently random selection process to work, (1) how the randomly 
sele{;ted number is going to be used must be clearly stated in advance (i.e., if we 



394 


128 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


are choosing a number to decide whicii machine to parallel test, each machine 
must be labeled with one of the ntmibers that may be chosen), (2) the process for 
randomly selecting numbers must be understood by all participants, and (3) the 
event of randomly selecting numbers must be observable to aH participants (and, 
if possible, members of the public). 

For example, if we are picking what team of police are going to be left to look 
after the locked-up ^d security-sealed election materials before completion of 
the Automatic Routine Audit, the observers and participants must see the com- 
mitted list of police that are being selected from in advance of the selection. The 
list must be posted visibly or in some other way “committed to” so that the asso- 
ciation between random numbers selected and people selected cannot be; 
switched after the numbers are produced. 

In terms of aligning auditors to roles and machines to be audited, the goal might 
be to make sure that there is one Democratic-Republican and one Federalist 
assigned to review the paper records (the readers) and one Democratic- 
Republican and one Federalist assigned to tally the records (the writers). There 
should be no way to know what machines anyone wall be assigned to, nor who will 
be teamed with whom during the audit. 

If the use or interpretation of the random numbers is not clear and committed 
in advance, then an appropriately situated attacker might “interpret” the random 
number in a way that allows the attack go undetected by, for example, assigning 
attackers as auditors for all the subverted machines.^*^® 



395 


APPENDIX G 


129 


APPENDIX G 

ASSUMPTIONS 

FACTS/ ASSUMPTIONS ABOUT THE PENNASOTA GOVERNOR'S RACE 
REFERRED TO IN THIS REPORT 


GENERAL FACTS/ASSUMPTIONS ABOUT PENNASOTA IN 2007 

Total Number of votes cast in gubernatorial election 3,459,379 

Votes Cast forlorn Jefferson 1,769,818 

Votes Cast for Johnny Adams 1.689,561 

Margin of victory (votes) for Tom Jefferson 80,257 

Margin of victory (%) for Tom Jefferson 2.32% 

Target % votes to change in favor of Adams 3.0% 

Target votes to add or subtract in hypothetical attacked election 103,781 

Target votes to switch In Governor's Race 51,891 


LIMITS ON ATTACKER 

Maximum % of Votes Added or Subtracted Per County: 10% (5% switch) 

Maximum % of Votes Added or Subtracted Per Polling Place: 15%(7.5% switch) 
Maximum % of Votes Added or Subtracted Per Voting Machine 30% (15% switch) 


FACTS/ASSUMPTfONS ACROSS SYSTEMS 

Minimum Number counties attacked ^ 

Total Number of polling places in state _ _ 

Number of votes per polling place _ _ 1,142 

Number polling stations that must be attacked 

where less than 15% of votes are added or subtracted 606 

Minimum Number of Attackers to develop and install Trojan Horse 1 

Minimum Number of Attackers to parameterize Trojan Horse 1 

Number of machines unusable per polling piace to create "bottleneck" 3 

Maximum number of discouraged voters (decide not to vote) 

per polling place under bottleneck 88 (7.7%) 

Number of votes potentially gained at polling place under bottleneck 70 

Maximum % of unfriendly voters in targeted polling places 

under bottleneck 90% 

Percentage of friendly - foe votes under bottleneck 10% 



396 


130 THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


Number of observers of polling book 1 

Number of people ireeded to delete voters from poll book per polling place 1 
Number of people required to modify enough poll books 

to change outcome of statewide election 606 


Number of times single person can fraudulently vote 10 


Number of people required to subvert audit 

386 

GENERAL ASSUMPTIONS FOR THREE LARGEST COUNTIES IN PENNASOTA: 

MEGA, CAPITAL AND SUBURBIA 


Number of polling places in 3 largest counties 

1,133 

Number of precincts/Election Districts in 3 largest counties 

1,669 

Number of votes in 3 largest counties 

1,156,035 

Number of votes stored at largest tally center 

531,584 

Number of votes stored at the second largest tally center 

360,541 

Number of votes stored at third largest tally center 

263,936 

% of votes that would need to be switched in the 3 largest counties 
to change outcome of governor's race 

4.49% 

WPT-RELATED ASSUMPTIONS 


Number of votes per DRE wAA/PT 

120 

Number DREs wAA/PT in state 

28,828 

Number DREs wAA/PT in 3 largest counties 

9634 

Number of WPT that must be changed to win election {assuming no more than 

30% of votes switched on any roll) 2,934 


Number of people required to create fake WPT printouts 
to be replaced after polls close 

3 



397 


APPENDIX G 131 

PC05 AND BMD-RELATED ASSUMPTIONS 


Total number of PCOS machines in state 

4,820 

Total number of votes per PCOS machine 

606 

Total number of PCOS machines in 3 largest counties 

1,669 


Number of people required to replace ballots 

with counterfeits per polling place 1 

Number of people required to replace sufficient ballots 
with counterfeit complete ballots 

606 

Number of people required to steal or counterfeit ballot paper 

5 

DRE-RELATED ASSUMPTIONS 


Number DREs in state 

27,675 

Number DREs in 3 largest counties 

9,248 

Number of votes per DRE machine 

125 


Number of machines under Parallel Testing 

58 

Number of people required to subvert Parallel Testing 

58 


Maximum number of votes switched on DRE 

18.75 

Minimum number of DREs attacked to swing election 

2817 

AUDIT ASSUMPTIONS 

Number of votes audit team can audit in one day 

120 

Number of auditors per team 

2 

Number of votes audited in 3 largest counties (2% audit) 

23,121 

Number of audit teams to conduct audit 
in 3 largest counties in one day 

193 

Total number of auditors in 3 largest counties 

386 



398 


132 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


APPENDIX H 

TABLES SUPPORTING PENNASOTA ASSUMPTIONS 


PENNASOTA COMPOSITE FROM VOTES IN THE 2004 BATTLEGROUND STATES 
CT/MCEN FROM ACTUAL 2004 PRESIDENTIAL VOTE) 


Largest Three 
Counties in State 

Total VcFtes Total Votes by Population 
for/Viams for Jefferson (in descending 
State (K^) (Bush) order) 


Number of Number of 

Votes for Votes for 

Adams Jefferson 

(Kerry) (Bush) 

by County by County 


Colorado 1,001,725 1,101,256 Denver 166,135 69,903 


El Paso 77,648 161,361 

Jefferson 126,558 140,644 


Florida 


Miami-Dade 409,732 361,095 

Broward 453,873 244,674 

Palm Beach 328,687 212,688 


Iowa 741,898 751,957 Polk 105,218 95,828 

Linn 60,442 49,442 

Scott 42,122 39,958 


Michigan 2,279.183 2,313,746 Wayne 600,047 257,750 

Oakland 319,387 316,633 

Macomb 196,160 202,166 


Minnesota 1,445,014 1,346,695 Hennepin 383,841 255,1 33 

Ramsey 171,846 _ 97,096 

Dakota 104,635 108,959 

Nevada 397,190 418,690 Clark 281,767 255,337 

Washoe 74,841 81,545 

Carson 9,441 13,171 


New Mexico 370,942 376,930 Bernalillo 132,252 121,454 

Dona Ana 31,762 29,548 

Santa Fe 47,074 18,466 


Ohio 2,741,165 2,859,764 Cuyahoga 448,503 221,600 

Franklin 285,801 237,253 

Hamilton 199,679 222,616 



399 


APPENDiX H 


133 


Pennsylvania 

2,938,095 

2,793,847 

Philadelphia 

542,205 

130,099 




Allegheny 

368,912 

271,925 




Montgomery 

222,048 

175.741 


Wisconsin 

1,489,504 

1,478,120 

Mitwauikee 

297,653 

180,287 




Dane 

181,052 

90,369 




Waukesha 

73,626 

154,926 


Total Votes 

Per Candidate 
(2.32% margin 
of victory) 

1,769,818 

1,689,561 

Average Votes 
of Three 
Largest 
Counties 

674,295 

481,767 

Average 

Total Votes 

Per Candidate 

3.439,379 





SOURCES; 2004 PRESIDENTIAL ELECTION VOTE TOTALS 
Colorado 

County: http;//wvvw.census.gov/popest/counties/tab!es/CO-EST2004-Ol*08.xb 
Elections: http://www.elections.coloracio.gov/\V\VW/default/Prior%20Years%20 
Elecdon%20Information/2004/Abstract%202003%202004%20082305%20Late%20PM- 
5, pdf 
Florida 

County: http://www.siateoinorida.com/Portal/DcsktopDcfault.aspx?tabid=95#27103 
Elections: http://elcction.dos.state.fl.us/elections/resultsarchive/Index.aspPEIection 
Date=l l/2/04&DATAMODE= 

hitp://'www.cnn,com/ELECT10N/2004//pages/rcsults/ states/ FL/P/OO/county.OOO.html 
Idaho 

http://www.census.gov/popest/counties/tables/CO-EST2004-01-I6.xls 
http://www.idsos.state.id, u3/ELECT/RESULTS/2004/general/tot_stwd.htm 
http://www.idsos.state.id.us/ELECT/RESULTS/2004/general/cnty_pres.htm 
Michigan 

htip://www.censu8.gov/popcst/counties/tables/CO-EST2004-0l-26.xls 

http://miboecfr.nicusa.eom/election/results/04GEN/01000000.html 

Minnesota 

hup://www.census.gov/popest/coundes/tabks/CO-EST2004-01-27.xls 

hitp://elecdonresulis,sos.statc.mn.us/2004ll02/ 

Wisconsin 

http://www.census.gOv/popest/coundcs/tables/CO-EST2004-01-55.xls 
hup;// 165.189.88. 185/docview.asp?docid=1416&Jorid=47 
Pennsylvania 

hUp://www.census.§?Dv/pQpesi/coumies/tablcs/CO*EST2004-0! -42.xls 
htip://www.elecdonreturns.state,pa.us/ElecdonRetums.aspx?Controt=Statew'ideReturnsBy 
County&£IecID= l&OfficeID= 1#P 
Ohio 

http:/ /www.census.gov/popest/counlies/ tables/ CO-EST2004-01 -39.xJs 

http://w'w^^'.so.s.state.oh.us/sos/ElecdonsVoter/rcsults2004.aspx■^ection=135 

Nevada 

hup: //www.census.gov/popest/coundes/tables/CO-EST2004-01 -32 ods 
http;//w'ww.cnn.com/ELECTiON/2004/pages/results/st^es/NV/P/00/county.000,html 
New Mexico 

hUp;//www.census.gov7popest/counties/iables/CO-EST2004-0l-35.xls 

http://www.cnn.eom/ELECTION/2004/pages/rcsults/states/NM/P/00/county.000.html 



400 


134 THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

AVERAGE VOTES FOR THE THREE LARGEST COUNTIES IN THE 2004 BATTLEGROUND STATES 


CotTiDosite Counties 

Adams (Kerry) 

Jefferson (Bush) 

Mega County 

336,735 

194,849 

Capital County 

202,556 

157,985 

Suburban County 

135.003 

1 28,934 

Total of Averages 

674.295 

481,767 


PENNASOTA COMPOSITE OF POLLING PLACES AND PRECINCTS 

IN THE 2004 BATTLEGROUND STATES 



State 

County 

Number of 

Polling Places 
(New 2004 elections unles 
othemvise indicated) 

Number of 
Precincts 
November 

2004 

Number of 
Polling Places 
Statewide 

Number of 
Precincts 
Statewide 

Colorado 

Denver 

288 

422 

2,318 

3,370 


El Paso 

185 

378 




Jefferson 

323 

330 




Florida 

Miami-Dade 

534 

749 

5,433 

6,892 


Broward 

520 

777 




Palm Beach 

420 

692 




Iowa 

Polk 

180 

183 

1,916 

1,966 


Linn 

85 

86 




Scott 

63 

63 




Michigan 

Wayne 

670 

1,198 

3,890 

5,235 


Oakland 

432 

549 




Macomb 

259 

383 




Minnesota 

Hennepin 

431* 

430 

3,750** 4,108 


Ramsey 

178 

178 



Dakota 

137 

137 



New Mexico 

Bernalillo 

162**** 

413**** 

612 

684 


Dona Ana 

78 

108 




Santa Fe 

50 

86 




Nevada 

Clark 

329 

1,042 

526 

1,585 


Washoe 

118 

250 




Carson 

2 

26 





401 


APPENDIX H 


135 


Ohio Cuyahoga 584 1,436 6,602 11,366 

Frankiin 514 

Hamilton 593 

Pennsylvania Philadelphia 1,637 

Allegheny 1,214 1,214 

Montgomery 407 407 

Wisconsin Milwaukee N/A *** N/A*** 1,253 3,563 

Dane 
Waukesha 


788 

1,013 

1.681 4,000 9,432 


Statewide Average of 10 States 


2,969 4,820 


SOURCE 

Unless otherwise indicated, inibrmation is from die data tables at the EAG 2004 Election Day 
Survey, amiable at htrp://www.eac.gov/election_survey_2004/state_data.hlm. 

* 341 as of June 29, 2005. Telephone interview with Hennepin County Elections Board rep- 
resentative (No\'ember 7, 2005), 

Figure is estimated, Telephone interview with Minnesota Secrcuiry of State representative 
(February 21, 2005). 

•**Number of Precincts and PbUing Places N/A because elections are administered at munic- 
ipality level and data were not centralized at county level. Milwaukee City, the largest munic- 
ipality in Milwaukee County, has 202 polling places. Telephone interview with Milwaukee 
County Election Commission reprcscniativ'c (Nov'cmber 7, 2005). 

****Tclephone interview with Bernalillo County Clerk’s Office representative (Novendier 14, 
2005). 


AVERAGE NUMBER OF PRECfNaS AND POLLING PLACES FOR THE THREE LARGEST COUNTIES 
IN THE 2004 BAHLEGROUNO STATES 

Comoosite Counties 

Precincts 

Pollinq Places 

Mega County 

502 

839 

Capita! County 

347 

481 

Suburban County 

250 

349 

Total of Averages 

1,099 

1,669 



402 


136 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


APPENDIX i 

DENIAL-OF-SERVICE ATTACKS 

December 7, 2005 

Fr(jm: Professor Henry Brad); University of California, Berkeley 
To; The Task E>rce 

Denial of the Vote: You asked what the typical distribution of spreads was in 
precincts. I’ve gone to two data sets that were readily at hand — Broward and 
Palm Beach County Florida for the 2000 Presidential race. These are both heav- 
ily democratic counties. Roughly Bnjward was 67% for Gore and Palm Beach 
was 60% for Gore. 

Here are the frequencies by precinct “binned” into 10 intervals from 0% to 100% 
voting for Gore: 


GOREPCC1— BROWARD COUNTY FLORIDA, 2000 PRESIDENTIAL — % GORE VOTE 


Bin Number 

% Voting for Gore 

Frequency 

% of Precincts 

Valid % 

Cumulative % 

Valid 1.00 

0-10% 

13 

1.7 

1.7 

1.7 

2.00 

10-20% 

2 

.3 

.3 

2.0 

3.00 

20-30% 

3 

.4 

.4 

2.4 

4.00 

30-40% 

15 

1.9 

2.0 

4.4 

5.00 

40-50% 

73 

9.3 

9.8 

14.2 

6.00 

50-60% 

132 

16.8 

17.7 

31.9 

7.00 

60-70% 

217 

27.6 

29.0 

60.9 

8.00 

70*80% 

124 

15.8 

16.6 

77.S 

9.00 

80-90% 

87 

11.1 

11.6 

89.2 

10.00 

90-100% 

81 

10.3 

10.8 

100.0 

Total 


747 

95.2 

100.0 


Missing System 


38 

4.8 



Total 


785 

100.0 




GOREPCa- 

-PALM BEACH COUNTY FLORIDA 

Bin Number % Voting for Gore 

— 2000 PRESIDENTIAL- 

Frequency % of Precincts 

-% GORE VOTE 

Valid % Cumulative % 

Valid 

1.00 

0-10% 

7 

1.1 

1.1 

1.1 


2.00 

10-20% 

8 

1-3 

1.3 

2.4 


3.00 

20-30% 

5 

.8 

.8 

3.3 


4.00 

30-40% 

42 

6.7 

6.8 

10.1 



403 


APPENDIX I 


137 



5.00 

40-50% 

123 

19.6 

20.0 

30.1 


6.00 

50-60% 

150 

23.9 

24.4 

54.5 


7.00 

60-70% 

123 

19.6 

20.0 

74.5 


8.00 

70-80% 

64 

10.2 

10.4 

84.9 


9.00 

80-90% 

52 

8.3 

8.5 

93.3 


10.00 

90-100% 

41 

6.5 

6.7 

100.0 

Total 



615 

98.1 

100.0 


Missing 

System 


12 

1.9 



Total 



627 

100.0 




Note that there arc lots of precincts with 90% or higher Gore vote (10% m 
Broward and 6.5% in Palm Beach). These precincts are rather large (730 ballots 
cast on average in Broward and 695 ballots cast in Palm Beach). 

Here are the Bush results for Palm Beach. 

BUSHPCCT— PALM BEACH COUNTY FLORIDA 2000 PRESIDENTIAL % BUSH VOTE 

Bin Number % Voting for Gore Frequency % of Precincts Valid % Cumulative % 

Valid 1.00 

0-10% 

55 

8.8 

8.9 

8.9 

2.00 

10-20% 

49 

7.8 

8.0 

16.9 

3.00 

20-30% 

76 

12.1 

12.4 

29.3 

4.00 

30-40% 

148 

23.6 

24.1 

53.3 

5.00 

40-50% 

157 

25.0 

25.5 

78.9 

6.00 

50-60% 

87 

13.9 

14.1 

93.0 

7.00 

60-70% 

27 

4.3 

4.4 

97.4 

8.00 

70-80% 

3 

.5 

.5 

97.9 

9.00 

80-90% 

6 

1.0 

1.0 

98.9 

10.00 

90-100% 

7 

1.1 

1.1 

100.0 

Total 


615 

98.1 

100.0 


Missing System 


12 

1.9 



Total 


627 

100.0 




Note that there arc a lot fewer precincts with high Bush vote — only about 2. 1 % 
with 80% or greater Bush vote. But, of course, Palm Beach was a very highly 
Democratic County. Here are the results for Broward: 



404 


138 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 

BUSHPCC1— BROWARD COUNTY RORiDA — 2000 PRESIDENTIAL — BUSH VOTE 



Kn Number 

% Voting tiw Gore 

Frequency 

% of Precincts 

Valid % 

Cumuiative % 

Valid 

1.00 

0-10% 

94 

12.0 

12.6 

12.6 


2.00 

10-20% 

96 

12.2 

12.9 

25.4 


3.00 

20-30% 

144 

18.3 

19.3 

44.7 


4.00 

30-40% 

211 

26.9 

28.2 

73.0 


5.00 

40-50% 

122 

15.5 

16.3 

89.3 


6.00 

50-60% 

53 

6.8 

7.1 

96.4 


7.00 

60-70% 

11 

1.4 

1.5 

97.9 


8.00 

70-80% 

1 

.1 

.1 

98.0 


9.00 

80-90% 

2 

.3 

.3 

98.3 


10.00 

90-100% 

13 

1.7 

1.7 

100.0 

Total 



747 

95.2 

100.0 


Missing System 


38 

4.8 



Total 



785 

100.0 




Note that we have about the same situation for Broward. 


This sug^sts that it would be harder to do a “denial of the vote” for Bush than 
for Gore in these counties. But, of course, in a Presidential race you would prob- 
ably first choose a county that was heavily in the direction of the other party - 
hence, if you were a Republican you would choose Palm Beach or Broward 
Counties and you would not choose heavily Republican counties in the North of 
Florida. 


These tables are typical of what we see around the country. 



405 


APPENDIX J 


139 


APPENDIX J 

CHANCES OF CATCHING ATTACK PROGRAM 
THROUGH PARALLEL TESTING 

The Automatic Routine Audit and Parallel Testing should both use random sam- 
pling of precincts or voting machines to try to catch misbehavior. The attacker 
doesn’t know ahead of time which precincts or machines will be checked and, if 
there are enough random samples taken, she cannot tamper with a substantial 
number of precincts or machines without a big risk of her tampering being 
caught. The question we address in this Appendix is how many machines must 
be randomly tested to reliably detect a certain level of tampering 

One way to visualize the way random sampling can work is to imagine a room 
full of ping pong balls. Most of the balls are blue, but a small fraction (say, 1 /2 of 
1 %) are red. When we sample them, we reach into the bin without looking and 
draw out a ball; we want to know whether we are likely to draw out a red ball in 
a certain number of tries. 

We can imagine a literal version of this, with each ball or slip of paper having a 
different machine or polling place ID on it. In the case of Parallel Testing, we 
select machines by drawing these balls out of the bin and sampling only what is 
indicated by those balls. If we draw a ball representing a machine whose results 
have been tampered with, we will detect the tampering; if none of the tampered 
machines is tested, the attacker will get away with her tampering. This idea is very 
general - it can be applied to Automatic Routine Audits of polling places, 
precincts or voting machines, Parallel Testing of machines, careful physical 
inspection of tamper-evident seals on ballot boxes, inspiection of polling places 
for compliance with election laws, etc. 

The way we really do this is called “sampling without replacement,” which just 
means that when we draw a ball out of the bin, we don’t put it back. The prob- 
ablitics of finding the red ball changes each time we draw a ball out. If we have 
a reasonably large number of balls in the bin and if we are sampling a small per- 
centage, we can use a much simpler formula for sampling with replacement that’s 
approximately correct. This binomial estimate will generally err in a conservative 
direction, ie., we will draw a sample larger than necessary. 

It’s easy to convince yourself that drawing more balls from this bin makes you 
more likely to get one of tlie rare balls. It is also easy to see that the more red balls 
there are in the bin, the more likely you are to draw one out. 

We can write formulas to describe all this more precisely Suppose that in 
Pennasota there are 28,828 DREs, and 2,883 (or 10%) ha^-e been tampered 
with.^^ We’re going to test 10 machines. We want to know how likely we are to 
detect the tampering. 



406 


140 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


The ej^iest way to think of this is to ask how likely we are to fail to detect the tam- 
pering. (If we have a 10% chance of failing to detect the tampering, that’s just 
another way of saying we have a 90% chance of detecting it.) Each time we draw 
a ball from the bin, we haw approximately a (2,883/28,828) = 0.10 chance of 
getting a ball that represents one of the tampered machines. The probability that 
we’ll fail to sample a tampered machine each time is approximately 0.90. To fig- 
ure out what the probability is that we will fail to sample one of the tampered 
ones 10 times in a row, we just multiply the probabilities together: 0.90 * 0.90 * 
... * 0.90 = (0.^)*’^ = 0.35. So, after 10 samples, we have about a 35% chance 
of not having caught the attacker. Another way of saying the same thing is that 
we haw about a 100% ~ 35% = 65% chance of catching the attacker. 

An approximate formula for this is: 

C = fraction compromised 
jV= number sampled 

Probability [detect attack] = 1 - (1 - C)* 

Writing the probabilities as percentages, this looks like: 

Probability[detect attack] = 100% - (100% — Q® 

Now, the question we reaQy care about is how many samples we must take to have 
some high probability of detecting an attack. That is, we may start knowing the 
P[detect attack] value w'e want and need to work backward to find how many 
samples we must take if the attacker has tampered with 10% of our machines. 
The general (approximate) formula is 

D = probability of detection 
C ~ fraction compromised 
N ~ number sampled 

A''= log(l - Z)) / log{l “ C) 

where logO is just the logarithm of these probabilities. The base of the logaridim 
doesn’t matter. 

Some sample values for this, with D ~ 95%. (That is, we require a 95% chance 
of catching the tampering:) 


Compromised 

Number Sampled 

0.5% 

598 

1.0% 

298 

2.0% 

148 

5.0% 

58 

10.0% 

28 

25.0% 

10 



407 


APPENDIX J 


141 


This formula and table are approximate. For small numbers of machines or 
precincts being sampled, they overstate the number of samples needed to get the 
desired probability, which means that following them may lead you to be a little 
more secure than you need to be. 

So even if we assume that only 5% of machines are tampered with, Parallel 
Testing of 58 machines should give us a 95% chance of caching a machine that 
has been tampered with.^®^ 



408 


142 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


APPENDIX K 

CHANCES OF CATCHING ATTACK PROGRAM 
THROUGH THE ARA 

From the math already done in Appendix J, we can create this formula: 

As already discussed, the formulas listed in Appendix J will apply just as well 
when attempting to determine whether a 2% audit \vill have a good chance of 
catcJiing a fraud. 

There are more than 28,000 DREs w/ WPT in Pennasota, with an average of 
120 wters per machine. As our attacker wants to avoid detection, we have 
assumed that she -will cre^e an attack program that will switch a limited number 
of votes in each polling place - specifically about 18 (or 15% of all votes) per 
machine. A^uming she wants to switch about 52,000 votes, this comes out to an 
attack on about 1600 machines. 

AVhat is the probability of catching this fraud with a 2% audit? In a 2% audit, 
we will audit about 560 machines. 

The fraction of bad machines is 1,600/28,000 or 0.055. 

Each time we audit a machine, we have a chance of 0.055 of picking a machine 
that has been tampered with, and a chance of 1 - 0.055 (or 0.945) of picking a 
machine that has not been tampered with. 

The probability of picking only machines that have not been tampered with after 
auditing all 560 machines is (1 - Cf or (0.945)-^^. This is extremely close to zero, 
which means that the chances of not catching the fraud are less than 1%; con- 
versely, the chances of catching it are close to 100%. 

Paper replaced 

But what if the attacker had poUworkers in 550 polling places replace the paper 
before it reached county headquarters for the ARA? This would leave, at a min- 
imum 56 rolls that are evidence of the fraud (assuming that in the 56 polling 
places where paper wasn’t replaced, there was only one DRE per polling site). 
This means roughly 0.2% of paper rolls would show that the paper did not 
match the electronic records. What are the chances that a 2% audit (or audit of 
560 machines) would catch this? 

This time, each time we audit the paper rolls, the chances of catching a paper roil 
with evidence of the fraud is 56/28,000, or roughly 0.002. So the probability of 
picking only rolls that do not show evddence of fraud after auditing all 560 rolls 
and machines b (.998)^, or about 1/3. Thus, there would still be a 2/3 chance 
that the fraud would be detected. 



409 


APPiNDIX t 


143 


APPENDIX L 

SUBVERTING THE AUDIT 

Parallel Testing 

WeVe described auditing processes that can detect all kinds of misbehavior. 
However, this leaves open a question; How many auditors must our attacker cor- 
rupt to prevent the detection of misbehavior? 

Preliminaries 

We assume that auditing or Parallel Testing is done by teams. Each team is some- 
how put together from one or more auditors, and eacii team is assigned random- 
ly to a subset of tlie things being audited. 

How Many Corrupt Auditors Subvert an Audit Team? 

How many corrupt auditors does it take to subvert an audit team? The answer 
depends on the procedures used for auditing. The two extreme cases are of the 
greatest interest: 

W One Bad Apple: As discussed on page 55 of this report, during Parallel 
Testing, it is likely that a single corrupt auditor can enter a Cryptic Knock 
that will inform a tampered machine that it is being Parallel Tested. If the 
tester cannot enter a Cryptic Knock (because this feature was not part of the 
attack program) then all members of the Parallel Testing team will have to be 
subverted, 

® The Whole Bunch: During hand-recounts of paper ballots, reasonable pro- 
cedures can make it very difficult for an audit team with even one uncor- 
rupted auditor to fail to detect any significant fraud (that is, more than two or 
three votes). 

We will consider these two models below. 

Impact of Corrupted Audit Teams 

The best way to think about the impact of a corrupt audit team is to omit the 
audits done by that team from the total number of audits we assume are done. 
Thus, if we have ten teams, each doing 5 audits, and we assume two teams are 
corrupt, then instead of calculating the probability of detecting an attack based 
on 50 audits being done, we calculate it based on the probability of 40 audits 
being done. 

Some Simple Approximations 

Here is a simple, conservative approximation of the expected value and 95% 
upper limit on the number of compromised audit teams. We compute the prob- 
ability that a team will get corrupted, and then use binomial distribution to deter- 
mine the expected number of corruptions. We a^ume sampling without replace- 



410 


144 


THE MACHINERY OF DEMOCRACY: PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


merit for teams b^d on a fixed proportion of corrupt auditors. This is also over- 
simplified and conservatiw, fcwt le^ so than the super-simple model. 

Let: 

R be the total number of auditors, of whom jV are corrupt. 

The pn^xiition of corrupt auditors is J^/R 

Each team consist of K auditors 

Q^= R/K — the total number of teams 

For the one corrupt auditor model: 

(That h, a single corrupt auditor subverts the whole team.) 

The probability of a team being corrupted is T = I - {{R-JV) / R)'''. 
This is 1 minus the probability that ail the auditors on a team are not 
corrupt. 


For the all corrupt model: 

(That is, all the auditors on the team must be corrupt to corrupt the team.) 
The probability of a team being corrupted is P = 

For both models: 

Prob{A/ corrupted audit teams) = Choose(Q,uli) P" (1 - 
Expected number of corrupted audit teams = P*(2. 

S = standard deviation = Sqrt(P*‘(l - PfQi 

95% upper bound on corrupted audit teams = 1.64*5 

The biggest thing to notice about these formulas is that when you need to corrupt 
all members of a team to corrupt the team, you need to corrupt practically all the 
auditors to have much of an impact. For example, consider an election with 100 
auditors, 5 to a team. Here are some numbers when we have to have all auditors 
on a team corrupted to subvert that team’s audits: (There are 20 teams total.) 



The 95% upper limit here means the true number of corrupt teams should not 
exceed the upper limit in 95% of the possible teams drawn. The critical value of 
1 .64 is based on the commonly used normal distribution. *Note the implications 
for parameters of our audit teams - bigger teams are much better than smaller 



411 


APPENDIX L 


145 


ones. If we had audit teams of one, corrapting half the auditors would corrupt 
half the audits, while here it corrupts only 10% of the audits. On the other hand, 
we could do five times as many audits with one auditor to a team. 

On the other hand, the attacker has a much easier time attacking auditing 
processes where a single corrupted participant subverts the whole audit process. 
Similar numbers then look like: 


Corrupt Auditors 


Corrupt Teams Expected 95% Upper Bound 


10 

8 

U 

20 

13 

16 

30 

17 

19 

40 

18 

20 

50 

19 

20 

60 

20 

20 

70 

20 

20 


In this case, small audit/Parallel Testing teams make more sense. 

Bribing The Audit Teams in Pennasota to Subvert the Audit 

if our attacker could successfully bribe auditors to “cheat” during the audit, so 
that they would ignore discrepancies between the paper and electronic records, 
how many would he have to bribe? Our analysis shows that nearly all of the 
auditors in the largest counties would have to be successfully bribed if the attack 
was to work. 

We can use the audit in Pennasota’s three largest counties, Mega, Capitol and 
Suburbia, as an example. With a 2% audit, 193 teams of two will audit one DRE 
w/ WPT paper roll each (each paper roll will contain approximately 1 20 votes). 
Each member of each team of auditors is selected by one of the major political 
parties; after diey are selected and immediately before the auditing begins, thtry 
are randomly ass^ed a partner and a machine. Every team has one Federalist 
and one Democratic-Republican. 

What fraction of these auditors must the attackers corrupt to avoid her attack 
being caught? If r represents the fraction of auditors from each party that our 
attacker must corrupt, and each party’s auditor is randomly matched with an 
auditor from the other party, the probability of an entire audit team being cor- 
rupted (i.e. both auditors being corrupted) is 

A machine passes an audit if: 

(1) it is a good machine; or 

(2) it is a bad machine but both auditors are corrupted. 



412 


146 


THE MACHINERY OF DEMOCRACY; PROTECTING ELECTIONS IN AN ELECTRONIC WORLD 


The probability of (1) k 1 ~ C The probability of (2) is Cr^ Thus the probabili- 
ty of a machine posing the audit is 

1 + C(t2~}). 

And the probability of S machine passing the audit is approximately: 

p = (l+C{T2-i))^ 

Solving this equation for t yields: 

We have assumed that the attacker would need to attack 1,602 DREs w/WPT 
to feel comfortable that he could change the outcome of tlie governor’s race in 
Pennasota. There are 9,634 DREs w/W'’PT in Pennasota’s three largest coun- 
ties. Thus, C= 1602/9634 or 0.17. S, the number of machines and paper rolls 
audited is 193. Assuming that our attacker wants 90% certainty that she will sub- 
vert the audit, p equals 0.9. 

Accordingly, the percentage of auditors that must be successfully bribed to sub- 
vert the audit is close to approximately 99.7%, 



413 


APPENDIX M 


U7 


APPENDIX M 

EFFECTIVE PROCEDURES 

FOR DEALING WITH EVIDENCE OF FRAUD OR ERROR 

The following are examples of procedures that would allow jurisdictions to 

respond effectively to detection of bugs or Software Attack Programs: 

1 . Impound and conduct a transparent forensic examination^ of all machines 
showing unexplained discrepancies during Parallel Testing; 

2. Where evidence of a software bug or attack program is subsequently found 
(or no credible explanation for the discrepancy is discovered), conduct a 
forensic examination of all DREs in the state used during the election; 

3. Identify the machines that show evidence of tampering or a software flaw 
that could have affected the electronic tally of votes; 

4. Review the reported margin of victory in each potentially affected race; 

5. Based upon the (a) margin of victory, (b) number of machines affected, and 
(c) nature and scope of the tampering or flaw, determine whether there is a 
substantial likelihood that the tampering or flaw changed the outcome of a 
particular race; and 

6. Where there is a substantial likelihood that tampering changed the outcome 
of a particular race, hold a new election for the office. 

T'he following are examples of procedures that would allow jurisdictions to 

respond effectively to detection of statistical anomalies in the voter-verified paper 

record: 

1 . Conduct a transparent forensic investigation of machines^ that have pro- 
duced paper records with significant statistical anomalies; 

2. To the extent tampering with any of these machines is found, conduct a sim- 
ilar investigation of all machines in the State; 

3. After quantifying the number of machines that have been tampered with, 
determine the margin of victory in each potentially affected race; 

4. Based upon the (a) margin of victory, (b) number of machines affected, and 
(c) nature and scope of the tampering, determine whether there is a substan- 
tia! likelihood that tampering changed the outcome of a particular race; and 

5. In the event that a determination is made that there is a substantial likelihood 
that tampering changed the outcome of a particular race, hold a new elec- 
tion for the office. 



414 



BRENNAN CENTER 
FOR JUSTICE 

AT NYU SCHOOL OF LAW 
161 Avenue of the Americas 
12th Floor 

New York, NY 10013 
212-998-6730 


BRENNAN CENTER FOR JUSTICE 
BOARD OF DIRECTORS AND OFFICERS 


James E. Johnson, Chair 
Partner, 

Debcvoise & Piimpton LLP 

Michael Waldman 
ExecutiM Director, 

Brennan Center for Justice 


Nancy Brennan 
Executive l^retlor. 

Rose Kerjnedy 
Grcenway Conservancy 

Zachary W. Carter 

Dirtner, Dorsey & Whitney LLP 

John Ferejohn 

Professor, NYU School of Law 
& Stanford University 

Peter M. Fislibein 
Special Counsel, Kaye Scholer 

Susan Sachs Goldman 

Helen Her^kofT 
Professor, NYU School of Law 


Thomas M. Jordc 
Professor lunerUus, Boalt Hall 
School of Law - UC Berkeley 

Jeffrey 8. Kin<Ber 
f'k'e Chairman & General Counsel, 
Pfizer Inc. 

Ruth Lazarus 

Nancy Morawetz 
Professor, NYU School of Law 

Burt Neuborne 

Legal Direclor, Brennan Center 

Professor, NYU School of I.aw 

Lawrence B. ftdowiiz 
Partner, 

W'achteii, lipion, Rosen & Katz 

Steven A. Reiss, 

General Counsel 
Partner, Weil, Gotshal 
& Manges LLP 

Richard Revesz 

Dean, NYU School of Law 

Daniel A. Rezneck 

Senior Trial Counsel, Office of the 

DC Corporation Counsel 


Cristina Rodriguez 
Assistant Professor, NYU School 
of Law 

Stephen Schulhofer 
Professor, NY'U School of Law 

John Sexton 

l^esident, New York University 

Sung-Hee Suh 
Partner, 

Schulte Roth & Zabel LLP 

Robert Shrum 
Senior Fellow, 

New York University 

Rev. Walter J. Smith, S.J. 
President & CEO, 

The Healthcare Chaplaincy 

Clyde A. Szuch 

Adam Winkler 

Professor, UCIj\ School of Law 

Paul Lightfoot, Treasurer 
President & CEO, 

AI, Systems, Inc. 


www.brennancenter.org 










416 


MEMORANDUM ON VOTING UNIT PERFORMANCE 
(Prepared by John T. Willis, School of Public Affairs, University of Baltimore) 


We are as far away as a state can be from the 2000 debacle in Florida where 
175,655 people did not have a vote recorded and counted for president or the 2004 
controversies in Ohio where 94,535 people did not have a vote recorded and counted for 
president. The administration of elections in Maryland stands in stark contrast to these 
states and performs well above national averages. In fact, in the 2004 presidential 
election, Maryland ranked number one (the best state) in capturing voter intent. It is 
important for the public, as well as public policy decision-makers, to be 
aware of, and keep in mind, that: 

1 . There is no evidence (NONE) of the negligent, unintentional or intentional 

loss of votes, the failure to capture voter intent or the inaccurate compiling 
and tabulating of votes in the administration of elections during the 2002 
and 2004 election cycles in which the existing direct recording electronic 
(“DRE”) voting system was utilized. 

2. Mandating a statewide optical scan voting system will increase, not 

decrease, the number of voters that do not have their votes accurately 
recorded and counted in the 2006 election cycle. Depending upon voter 
turnout, at least between 3,000 and 4,000 more voters will not have their 
votes counted with a required optical scan voting system. 

3. Out of 2,394,207 Marylanders who cast a vote in the 2004 presidential election 

only 7,539 did not have a vote captured or recorded for President. The 
resulting residual vote rate of 0.31% was the lowest ratio in the country! 
(See Exhibit 1, “Residual Vote in the 2004 Election, ” CALTECH/MIT 
Voting Technology Project, February 2005.) 

4. The 2004 residual vote in Maryland represented the lowest number and 

lowest ratio of individuals not having a vote counted for the candidates 
running for the highest position on the ballot in the history of Maryland 
for any election for which comparable data is available. 

5. The Maryland 2004 residual vote rate was 50% to seven times less than 

the residual vote rate in states relying entirely, or substantially, on optical 
scan voting systems. 

6. With 454,1 18 less registered voters casting ballots in the 2000 presidential 

election (when 19 counties utilized an optical scan voting system) there 
were 3,363 more voters not having a vote recorded for President than in 
the 2004 presidential election. The 2000 residual vote ratio was two- 
thirds higher than the 2004 ratio (when all counties and Baltimore City 
were using a direct recording electronic voting system). 



417 


2 


7. The precinct level differentials in residual vote rates between voting systems 

are clearly manifested in comparative scatter diagrams depicting the 
residual vote percentage rates in Baltimore County for the 2000 
presidential election using the ES&S OpTech III P optical scanning voting 
system and for the 2004 presidential election using the Diebold AccuVote 
TS direct recording electronic voting system.’ There were only four 
precincts in 2004 with a residual vote rate of 1.0% or greater whereas 
there were 28 such precincts in 2000. Conversely, in the 2004 presidential 
election, 83.18% of the precincts had a residual vote rate of less than 0.5% 
compared with only 43.8% in the 2000 presidential election. 

8. Voters in five Maryland jurisdictions comprising 42.8% of the state’s total 

registered voters (5 1 .4% of Democratic registered voters, 26. 1 % of 
Republican registered voters and 43.5% of other registered voters) have 
never used an optical scanning voting system at the polling place on 
election day. (These jurisdictions are Allegany County, Baltimore City, 
Dorchester County, Montgomery County and Prince George’s County.) 

9. Direct recording electronic voting systems are more accessible for people with 

disabilities, are better able to accommodate language barriers, provide for 
ballot magnification for voter convenience, substantially reduce residual 
vote variances among precincts with differing demographic 
characteristics, and reduce — ^not increase — the potential for voter error. 

10. Any voting system used for recording and tabulating votes is subject to 

unintentional error and theoretically subject to intentional tampering — 
including, and most especially, hand counting. There was substantial 
justification in 1955 for the Maryland General Assembly to mandate the 
use of mechanical level voting machines and to bar the use of paper 
ballots at the polling place based upon decades of proven problems with 
the handling and marking of paper ballots. No such justification exists 
today for mandating a change in Maryland’s voting system. It should also 
be noted that the rate of voter error and the percentage of “no votes” is 
higher with absentee ballots than with the use of the Maryland direct 
recording electronic voting system. 

1 1 . Endeavoring to change a voting system statewide in less than six months 

ignores the reality of the administration of elections. The procurement 
process for acquiring and testing over 4,000 machines, the complex ballot 
preparation and printing processes for nearly 1,800 precincts, and the 
training of approximately 21,000 election judges on the operation of a yet 
to be decided voting system are significant tasks that should not be rushed 
and compressed into an umeasonably short period of time. There is no 


' See attached Exhibit 2, Baltimore County; % of Residual Votes by Precincts for the 2000 Presidential 
Election and % of Residual Votes by Precincts for the 2004 Presidential Election. 



418 


3 


reason to increase the risks associated with a seriously compressed 
administrative timeframe, especially when there is NO evidence of 
any negligent, intentional or unintentional failure to capture the intent 
of any Maryland voter using the current voting system at the polling place. 

12. Contrary to the assertions made in the drumbeat of publicity generated by 
policy advocates, and the media proclivity to report controversy, 
independent survey research in Maryland and elsewhere in the country has 
found a high degree of voter satisfaction and trust with direct recording 
electronic voting systems. 

The public discussion about voting systems, should be informed by the 
Memorandum Opinion of the Circuit Court of Anne Arundel County, dated September 1, 
2003. In denying the Plaintiffs Motion for Preliminary Injunction, the judge stated in 
pertinent part: "All experts agreed the use of paper ballots is the least accurate of all 
systems and lends itself to the most chicanery. On the other hand, the experts seen to 
agree, if untampered, the Diebold-type voting machines are the most accurate in 
recording and counting votes. ” The judge further observed that the fears of tampering of 
machines before, during or after the election “can reasonably be protected against by 
implementing some of the more reasonable suggestions of the SAIC, Hopkins and RABA 
reports. " 


During the conduct of the 2004 presidential elections in Maryland, election 
procedures were designed and implemented to ensure the integrity of the election. These 
included parallel testing of randomly selected voting machines- which in every instance 
confirmed the accuracy of the voting system and outperformed hand counting of the same 
ballot choices. In six counties, there were pre-election demonstrations and testing of the 
DRE voting system (Allegany, Anne Arandel, Baltimore, Calvert, Howard and Talbot). 
On election day, randomly selected voting units from Montgomery County were subject 
to parallel testing under a program designed in conjunction with the League of Women 
Voters. The anecdotes, allegations, theoretical abstracts and exaggerated rhetoric used to 
attack the voting system currently used in Maryland are not rooted in any factual 
examination of the performance of the voting system in actual elections in Maryland. 

Can and should there be improvements made in direct recording electronic voting 
systems? Yes, and of course! For a significant fraction of the cost of replacing the 
voting system currently being used in Maryland, technological enhancements and 
additional technical, management and operational security measures can be taken to 
continue to assure a complete and accurate counting of votes in Maryland. It is important 
to expand the capacity to perform scientific based accuracy and logic testing and to 
conduct parallel testing of the voting system before, during and after any election. 

It is also reasonable and prudent for Maryland to continue searching for the best 
technology to capture voter intent fully and accurately as there will no doubt be continued 
improvements made in the industry. Controlled testing of new products to improve voter 
interface and exploring methods to enhance data security could be done on a limited. 



419 


4 


precinct level basis without causing undue disruption to the statewide administration of 
elections. 

There is a well-documented track record on the effectiveness of the various types 
of voting systems that have been used in Maryland— an examination of which that has 
been apparently lost or obscured in the current public discussion about voting systems. 
The Report of the Special Committee on Voting Systems and Election Procedures 
provided to the Maryland General Assembly in February 2001, contains a twenty year 
look at the efficacy of voting systems in Maryland. For the past 30 years, I have 
researched and closely examined precinct level voting patterns and voter behavior 
spanning the history of state elections for every level of government, type of office and 
ballot issues. What is demonstrable, down to the precinct level, are the differences that 
occur in voter performance utilizing various types of voting systems. What I have found 
is that direct recording electronic voting systems do a far better job capturing the intent of 
voters more accurately and completely than other voting systems, including optical scan 
systems. Further, direct recording electronic voting systems significantly reduce the 
variances among the residual vote rates cast at the precinct polling place and significantly 
lessen the differentials in residual vote rates among various demographic cohorts. 

By mandating an optical scan voting system in Maryland, it can reasonably be 
projected (based upon past performance of voters using such systems in actual Maryland 
elections) that more voters will not have their intentions recorded correctly in the 2006 
primary and general elections than if they were to use the current direct recording 
electronic voting system. As was painfully demonstrated in Florida, and has been 
experienced elsewhere (including Maryland), voters using an optical scan voting system 
will mismark ballots causing imdervotes and overvotes and some ballots will not be read 
correctly by the voting system.^ The February 2005 CALTECH/MIT Report found, with 
respect to the lowering of residual vote rates, “that there may be particular gains to be 
had when a jurisdiction that already use optical scanners chooses to use the newest 
generation of DRE 's. ” A statewide optical scan voting system will produce more voter 
errors, cause the disenfranchisement of more voters and yield more contested and 
dubious election results than the current or future generations of direct recording 
electronic voting systems. The inevitable close election will see its reported official 
results change in a “recount” or contested election procedure as a result of voter and 
machine error in recording and capturing the intent of the voter. This differential in 
capturing, recording and tabulating voters has already occurred in Maryland jurisdictions 
using optical scan voting systems (including the 2002 general election involving the 
former Speaker of the House). 

Finally, it would be prudent, before mandating any change to the exemplary 
manner in which the intent of the Maryland voter is captured accurately and completely, 
to subject any proposed replacement voting system to the same rigorous examination and 


^ Attached hereto as Exhibit 3 are examples of misinarked optical scan ballots that commonly occur. 

These samples were included in the Report of the Special Committee on Voting Systems and 
Election Procedures (February 2001) which was presented to the Governor and the Maryland 
General Assembly. 



420 


5 


independent testing that has been given to the current voting system by the Maryland 
General Assembly and independent research entities. In such an examination you would 
likely find many of the same technology concerns and security issues that generated the 
current debate over direct recording electronic voting systems also exist with an optical 
scan voting system in the recording and tabulating of voter intent. In addition, you would 
likely find management and operational security issues present with an optical scan 
voting system that do not exist with a direct recording electronic voting system. 

In concluding, I believe that it would be a clear multi-million dollar, step 
backwards, not forwards, in the effort to capture voter intent completely and accurately 
to change our current voting system, especially only a little more than five months before 
an election! Maryland would no longer be a national leader in capturing voter intent and 
vote counting accuracy but would find its top of the list rankings decline in future 
election cycles. We should all continue to work toward solutions that will keep 
accurately and fully capturing the intent of Maryland voters as the principal goal and 
objective in the administration of elections in our state. 



421 


ROY G. SALTMAN, M.S., M.P.A. 
Consultant on Election Policy and Technology 

5025 Broken Oak Lane, Columbia, MD 21044 
Phone; 410.730.4983/Fax: 410.997.4355 
email: rsaltman@alum.mit.edu 

Sept. 26, 2006 


Honorable Vernon J. Ehlers, Chairman 
Committee on House Administration 
US House of Representatives 
1309 Longwforth House Office Building 
Washington, DC 200815-6157 

Dear Representative Ehlers: 

I am writing to you about the subject of your conunittee’s hearing on September 28, 2006, that is, 
electronic voting machines: verification, security, and paper trails. I request that this letter be placed 
in the hearing record. 

This letter summarizes my recent report on this subject. The final text of the report, entitled 
Independent Verification: Essential Action to Assure Integrity in the Voting Process,” was submitted 
to the National Institute of Standards and Technology (NIST) under contract on August 22 and has 
been made available on a NIST website. I handed a paper copy of the report to Paul D. Vinovich, 
the committee’s director of legislative operations, on September 22. The report represents my 
personal views, conditioned by my thirty years of research and publication on this subject. 

My recommendation is that audits must be carried out on all officially reported results of federal 
elections, regardless of the type of voting technology. Public confidence in the democratic process 
requires this action. When direct-recording electronic (DRE) voting machines are used, independent 
electronic audit trails must be implemented on each machine and used to verify the reported results. 
When hard-copy ballots are employed, the percent of precincts independent verified should increase 
proportionally with the narrowness of the winner’s victory but, in any event, should include, 
automatically, at least 3% of all precincts at no cost to the loser. Precincts whose results generate 
the most doubt should be selectable for recounting by the losing party or candidates. 

My report points out difficulties with the paper-printout system now being mandated in many states 
for use with DRE voting machines. These unacceptable attributes are: 

(1) Visually handicapped voters cannot read these printouts; advocates for the blind have 
filed lawsuits claiming that the use of the printouts violates HAVA requirements for equal access. 

(2) A majority of sighted voters are not reviewing their printouts, with the result that the 
printouts not reviewed remain the product of untrusted computer programs. 

(3) A reason for the non-review is the extra time required by the voter, extending the duration 
of voting after the process has been essentially completed. 

(4) The printout is not presented in the same format as the electronic screen, resulting in a 



422 


voter-unfriendly and difficult comparison. 

(5)Lossof privacy may result from the sequential spool! ng of the printouts, and the discovery 
of an incorrect computer program by a voter demands that the voter violate the state’s guarantee of 
privacy. 

Commercial products have been devised that provide for copying of the voter’s final screen on a 
DRE to a separate computing device. This procedure allows for the independent recording, 
summation and disclosure of election results by electronic means instead of paper. The voter need 
not have any personal hand in this process, thereby eliminating any required additional activity on 
the voter’s part and eliminating any activity not able to be carried out by voters with handicaps. 
Additional products of this type are likely to be produced in the near future, as the technology is not 
unusual, prohibitively i ntricate or expensive. My report recommends that such devices, if employed, 
must have their software publically disclosed, and must be approved for use through the testing 
process of the accredited Voting System Testing Laboratories. 

In this letter, I have shown that the public can have confidence in reported election results without 
the use of paper. My hope is that the Congress will not restrict the future use of technology by an 
insistence on paper, at a time when nearly all organized business and government operations are 
attempting to eliminate paper. 


However, 1 have asked that actual audits be required to be carried out, which is not a current 
requirement. If elections are to be carried out in an efficient, effective, and “business-like” fashion, 
then audits must be undertaken. Every business of significant size in this country is required to carry 
out independent audits, for the benefit of investors, regulatory agencies, and taxing authorities. 
Certainly, the results of public elections are as worthy of public confidence as the financial condition 
of private corporations. 


Sincerely, 

Roy G. Saltman 



423 


mmmE> 

ELECTION SySEEMS 


Uebold Election Systems Response to the Princeton University AccuVote-TS 
Analysis 

The following statement may be attributed to Dave Byrd, President, Diebold Election 
Systems. 

September 13, 2006 - “Three people from the Center for Information Techndogy 
Policy and Department of Computer Science at Princeton University today released a 
study of a Diebold Election Systems AccuVote-TS unit they received from an 
undisclosed source. The unit has security software that was two generations old, and to 
our knowledge, is not used anywhere in the country. Normal security procedures were 
ignored. Numbered security tape, 18 enclosure screws and numbered security tags 
were destroyed or missing so that the researchers could get inside the unit. A virus was 
introduced to a machine that is never attached to a network.” 

"By any standard - academic or common sense - the study is unrealistic and inaccurate.” 

“The current generation AccuVote-TS software - software that is used today on 
AccuVote-TS units in the United States - features the most advanced security features, 
including Advanced Encryption Standard 128 bit data encryption, Digitally Signed 
memory card data. Secure Socket Layer (SSL) data encryption for transmitted results, 
dynamic passwords, and more.” 

"These touch screen voting stations are stand-alone units that are never networked 
together and contain their own individual digitally signed memory cards." 

“In addition to this extensive security, the report all but ignores physical security and 
election procedures. Every local jurisdiction secures its voting machines - every voting 
machine, not just electronic machines. Electronic machines are secured with security 
tape and numbered security seals that would reveal any sign of tampering.” 

“Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting 
equipment, proper procedures and adequate testing assure an accurate vexing process 
that has been confirmed through numerous, stringent accuracy tests and third party 
security analysis." 

“Every voter in every local jurisdiction that uses the AccuVote-TS shorld feel secure 
knowing that their vote will count on Election Day.” 

Contact; 

Mark Radke, Director of Marketing, Diebold Election Systems, 330-490-6633 



424 




jS? C' ; ffl'*’’ 

il^CJlOH SYSTEMS 


DIebotd Election Systems, Inc. 

P.O. Box 1019 
AHen.TX 75013 

www.dieboides.com 


Diebold Responds to RFK, Jr. and Rolling Stone 


Allen, Texas - Diebold Election Systems today released the following letter to the editors 
of Rolling Stone magazine. The letter responds to an error-riddled piece authored by 
Robert F. Kennedy, Jr. and published in the magazine, 

Mr. Kennedy did not contact Diebold Election Systems for comment, despite the fact that 
they are the primary target of Mr. Kennedy's article which draws on the claims of a 
former Diebold employee who was removed at the request of the Georgia Secretary of 
State. 

Diebold Election Systems is calling on Rolling Stone’s editors to review the critical facts 
below and disavow the shoddy reporting done by Mr. Kennedy. 


September 26, 2006 

Mr. Jann Wenner 
Editor and Publisher 
Rolling Stone 

1290 Avenue of the Americas 
New York, NY 10104 - 0298 

Subject: “Will The Next Election Be Hacked?” 

Mr. Kennedy should have made serious efforts to verify the validity of his article’s 
sources and assertions. He did not even contact Diebold Election Systems for comment. 
In doing so, he would have learned that his so-called whistleblower undermines his own 
case, and the claims he makes fail to hold up under bright light of the tmth. 

The whistleblower in this article was not involved in the system implementation in 
Georgia for the duration he claims. On July 23, 2002, the Georgia Secretary of State’s 
office directly requested that Mr. Hood be removed from his duties as a voter outreach 
instructor because of poor performance. This request is clearly documented in a letter 
from the Secretary of State’s office, which is attached. 

After a review of the facts provided below, we believe you will come to the 
determination that this story falls short of serious journalistic standards. 



425 


We're in the business of supporting our democracy, so our credibility and independence 
is imperative. While we're reluctant to be perceived as entering the political fray, we feel 
compelled to address in a vigorous and factual fashion these false accusations, which 
foster fear. 

Mr. Hood, a.k.a., the whistleblower, was a contractor for Diebold in Georgia and was to 
conduct a voter outreach program in the state of Georgia. However, as stated in a letter 
dated July 23, 2002, the Secretary of State’s office requested the removal of Chris Hood 
from his role working in the state. The letter reads, in part: 

“In light of the limited timeframe, resources and opportunities that we have to 
contribute to the success of the nation’s largest electronic voting deployment, we are 
requesting that a more appropriate resource be provided to support a fully coordinated 
voter education effort. With that perspective in mind, it is our position that Mr. Hood 
and his organization are not providing maximum benefit in their services to the State 
of Georgia in our efforts to help educate Georgia voters about the new voting system. 
Therefore, we respectfully request that Diebold Election Systems, Inc. review the 
current assignment of resources and make the appropriate changes necessary for the 
State of Georgia to achieve its voter education goals.” Michael Barnes, Assistant 
Director of Elections. 

Immediately upon receiving this letter, Diebold Election Systems removed Mr. Hood 
from his responsibilities within the state. He no longer contributed to the implementation 
process in Georgia. Yet the allegations contained in Mr. Kennedy’s article make it 
appear as if Mr. Hood were there and working with the system on a daily basis. 

For example, Mr. Hood mischaracterizes the “patch.” The patch was an operating system 
modification, not a modification to the tabulation system as implied in this article. This 
modification was not completed and available for installation until after August 8, 2002, 
at least two weeks after Mr. Hood was removed from his position in Georgia. Clearly, his 
reference, “We ran the election,” is not factual. 

There are additional errors and inconsistencies in Mr. Hood’s claims and throughout Mr. 
Kennedy’s article: 

“ We were told that it was intended to fix the clock in the system, which it did not do, " 
Hood says. “The curious thing is the very swift, covert way this was done. " 

First of all, Mr. Hood was not even working on the project at the time. Secondly, the 
election review panel within the state of Georgia reviewed the operating system software 
before implementation. It was not done covertly, as alleged by Mr. Hood. 



426 


"It was an unauthorized patch. ” 

Again, this statement is wrong. Modifications to the operating system of the units did not 
require federal certification. However, complete logic and accuracy testing on every unit 
was implemented by the respective jurisdictions following insertion of the modification 
to insure system accuracy. 

“Diebold also illegally installed uncertified software in machines used in the 2004 
presidential primaries. ” 

Diebold Election System software used during the 2004 presidential primary was 
certified by the Federal Election Commission organization and/or approved by the chief 
election official within each respective state, 

“Diebold, along with its employees and their families, has contributed at least $300,000 
to GOP candidates and party funds since 1998. " 

Diebold’s ethics policy restricts top executives of the company and all members of the 
election system division from participating in fund raising activities. This was instituted 
in June of 2004. 

“Diebold not only failed to follow up on most of the recommendations, it worked to cover 
them up. Michael Werthheimer, RABA” 

A series of security enhancements have been added to the Diebold touch screen machines 
based on the RABA report. They include: Advanced Encryption Standard (AES) 128-bit 
data encryption, dynamic passwords, and digitally signed memory card data, 

“That year (2004), Diebold would count the votes in half of Ohio's counties. " 

Not a single Ohio jurisdiction deployed Diebold Election Systems’ touch screen system 
during the 2004 presidential election. None. Zero. Two of Ohio’s eighty-eight counties 
used the Diebold Election Systems paper ballot optical scan system. The larger of the two 
counties, Lucas County, overwhelmingly voted for John Kerry. The article contains 
additional fabricated information. 

“The three counties with the most discrepancies - Broward, Palm Beach and Miami 
Dade - were also the most heavily Democratic " 

None of these three counties use Diebold Election Systems voting equipment. 

As regards the Princeton study referenced in the article, our response to this deeply 
flawed report can be found at the following address: 
http://www.diebold.com/dieboldes/pdf/princetonstatement.pdf 


427 


“On September 12‘^, in Maryland's first all-electronic election, voters were turned away 
from the polk because election officials had failed to distribute the electronic access 
cards needed to operate Diebold machines. ” 

An election official’s human error of not loading voter access cards into the supply bags 
for the precincts is now absurdly being portrayed as a system-related problem. This issue 
is analogous to an election official forgetting to send paper ballots to a precinct. It is 
human error ~ not system error. 

“Electronic voting machines are making things worse instead of better. ’’ 

The author of the Cal Tech/'MIT study, Charles Stewart III, who is also quoted in the 
Rolling Stone article indicates in this report that with the implementation of new voting 
equipment and procedures, “this works out to a recovery of one million “lost votes” 
between 2000 and 2004.” This certainly indicates a dramatic improvement in voting 
accuracy. 

“A government report uncovered large and unexplained discrepancies in vote totals 
recorded by machines in Cuyahoga County. ” 

The ESI report was proven to be in error by the Cuyahoga County Board of Elections, as 
archived election data exactly matched official election results once the errors of the ESI 
report were identified by the board and corrected. As an example, 1 7 year old and 
curbside votes were not included in the studies’ analysis, but of course were included in 
the official election totals. The Cuyahoga County Board meeting minutes disclose this 
fact. 

“The company had barely completed its acquisition of Global Election Systems ” (date 
referenced is May 2002). 

The Global Election Systems acquisition was completed by Diebold on January 22, 2002. 

Don’t the readers of Rolling Stone deserve a better researched and reported article than 
the one permed by Mr. Kennedy? We think so. We hope that after reviewing this letter 
Rolling Stone will agree. 


Sincerely, 




A 




David Byrd 
President 



428 




Diebold Election Systems, Inc. 

PO Box 1019 
Allen, TX 750013 


Michael E. tindroM 

Vice President 

LindroM@Dieboid.com 

330 - 705-7654 


August 16, 2006 

Cuyahoga County Commisioners 
Administration Building 
1219 Ontario Street 

Cleveland, Ohio 44113 Via email and regular mail 

Re: Erroneous Report Posting 

Dear Commissioners Hagan, Commissioner Dimora and Commissioner Lawson Jones; 

We are surprised and dismayed by the posting of the Election Science Institute-ESI 
(VoteWatch) inaccurate analysis covering the May 2006 primary election (the “Report”). 
The Report is inaccurate and the result of an erroneous and misleading investigation that is 
clearly false. 

We have previously pointed out the errors in the Report and the investigation methodology 
to the County. We have further been made aware that the County also informed ESI of 
these defects on August 3rd. The Report as posted fails to take our comments into account 
or correct the defective analysis. Attached is a document reflecting a more accurate 
description of the is.sues which were inaccurately portrayed in the Report. Such document 
is incorporated herein by reference. We would request that the Report be immediately 
removed from the County’s website, and a copy of this letter and the attachment be 
distributed to all persons who have received the same from the County. Such distribution 
should at least be by means of posting this letter on such website in lieu of the Report. 

We believe that the continued publication of the Report without including our comments 
can be reasonably interpreted to constitute intentional and willful defamation of Diebold 
Election Systems. 

Given the pre-Report unwillingness of ESI to allow Diebold Election Systems to 
participate in the analysis of the election specific data prior to the report and the evaluation 
of the specific election equipment, there would seem to be an apparent weakness in the 
skills of ESI or the investigatory methodology employed by them in this instance. This is 
especially true due to the simplistic analytical errors which were discovered independently 
by both the County’s election professionals and Diebold Election Systems. Quite frankly, 
given the weakness of this analysis, we feel it would be irresponsible for any jurisdiction to 
rely on the reports such as this by ESI without a very thorough review of their background, 
the work performed and the analytical methodology utilized. 



Cuyahoga County Commissioners 
August 16, 2006 
Page 2 of 2 


429 


Diebold Election Systems equipment is reliable and accurate. This has been demonstrated 
in not only all other Ohio jurisdictions using the system during the May primary, but also in 
thousands of elections in hundreds of jurisdictions throughout the nation. One example of 
independent evidence of the accuracy of our equipment can be found in the parallel 
monitoring testing conducted by the State of California in actual elections over the past 
several years. 

We look forward to your taking action consistent with the requests found in this letter. 
Sincerely, 

Michael E. Lindroos, Esq. 

Vice President and Counsel 

cc: Mr. Michael Vu, Director of Elections, Cuyahoga County 

Mr. Hertzberg, ESI 

Mr. David Byrd, President, Diebold Election System 
Ms. Jessica Miner, Diebold Election Systems 
Mr. Hugh Shannon, Cuyahoga County Commissioners 




430 


August 15, 2006 


Response from Diebold Election Systems to the Election Science Institute 
Report to the Cuyahoga County Board of Commissioners re: the May 
2006 Primary Election 

Background: The Cuyahoga County Board of Commissioners contracted with Election Science Institute (ESI) 
to analyze various aspects of the May 2006 Primary Election. ESl's initial report was presented to Cuyahoga 
County officials on Friday, August II, 2006. Diebold Election Systems has reviewed that report along with 
the Cuyahoga County Board of Elections. The following response can be attributed to Mark Radke, director 
of marketing, Diebold Election Systems. 


++++++++++ 

‘The initial review and conclusions reached by ESI concerning the Comparison of Vote Count By Candidate 
simply are wrong. In their primary areas of focus, ESI failed to take into account Election Day administrative 
actions that - had a thorough analysis been done and questions asked - would have determined the correct 
answers. The county provided additional data to ESI on Augu.st 3'“ when ESI was unable to reconcile the two 
analysis databases. This data from the county was not incorporated into the ESI report and their conclusions 
within this report are incorrect. The Cuyahoga County Board of Elections and Diebold Election Systems 
again reviewed the analysis databases on August 1 2"’, and confirmed the initial data provided by the county 
on August 3"'. In some cases, it is apparent that ESI itself made mistakes in its own testing procedures. 

‘The principal issues are the seeming discrepancy between the memory cards and the Voter Verifiable Paper 
Audit Trail (WPAT) totals, and the on-the-suiface mismatch between the precinct memory cards and the 
touch screen unit’s internal memory totals. However, the actual vote results can be balanced and verified 
when the Election Day administrative actions are incorporated into the analysis. 

“As previous reviews have shown, poll worker training was insufficient. Poll workers in various locations 
apparently pulled memory cards from one touch screen unit and placed that memory card into another touch 
screen unit. However, they did not also remove the respective VVPAT paper tape and place it into the second 
unit. Clearly, removing a memory card from one unit and placing it into another without also relocating the 
VVPAT records will account for a discrepancy when those results are compared. 

“In addition, .several precinct locations called the Cuyahoga County election office early on Election Day to 
report they did not have memory cards for their touch screen units. New memory cards for the precincts were 
programmed at election center and delivered to the respective precincts. In the meantime, poll workers found 
the original memory cards and began to use them in the touch screen units. When the new memory cards 
arrived from election central, the original cards were removed and the new cards were inserted into the touch 
screen units and used for the remainder of the election. This type of memory card activity will cause totals 
from the individual memory cards and the touch screen unit not to match. 

“ESl’s review failed to take into account the procedures for handling curbside voters and 17-year old voters. 
As a result, the report erroneously concludes that precinct totals from specific precinct or voting center 
memory cards do not match the totals from the touch screen unit’s internal memory located on the unit’s 
motherboard. Cuyahoga County u,sed paper ballots for the.se special voting cases. The votes were inputted 
into touch screen units and the totals were placed on separate memory cards. It is apparent that ESI tabulated 
the memory card totals from the touch .screen units used within the precinct for walk-in 1 8 year and older 
voters, but did not include the totals from the memory cards for curbside voters or 1 7-year old voters. This 
omission caused the variance between the two totals. The Cuyahoga County Board of Elections notified ESI 
of this omission on August 3"'. 

“ESl's own testing procedures also were flawed. On several memory cards which were uploaded by ESI 
from the touch screen unit’s internal memory and used for the ESI analysis, zero votes were present; 



431 


however, the internal memory of the touch screen units contained between 30 and 50+ votes, respectively. 
The original memory cards used in these touch screen units during the actual election contained the same 
number of votes as the internal memory of these units. ESI operator error appears to be the cause of these 
memory cards used in the ESI analysis not containing any votes, as they should have been uploaded directly 
from the touch screen’s internal memory which did contain the correct number of votes cast. ESI does state in 
the analysis that "Human error can not be ruled out as the source of the discrepancies reported." 

On page 88 of the ESI analysis, it states, "Printer problems were not evenly distributed throughout but rather 
were clustered in particular voting centers. For example, 18 voting centers experienced 100% of the printer 
errors (4 vote centers experienced 46% of the printer errors).” Clearly, poll worker training was an issue in 
these specific precincts, as the VVPAT printer performed admirably in the vast majority of precincts. 

“Finally, the ESI report (Page 100) criticized the VVPAT’s performance because the ink occasionally ran 
low, even though the VVPAT does not use ink or an ink cartridge. A thermal printer is used within the 
VVPAT to eliminate the issues associated with replacing ink cartridges. Thermal printers also require 
virtually no maintenance and are very reliable, as heat is used in place of ink to mark the VVPAT paper. 

“The accuracy and reliability of Diebold’s system is proven as the system has been tested by federal and 
independent laboratories, and has passed a regime of stringent parallel monitoring accuracy tests. Diebold 
Election Systems will continue to work with the Cuyahoga County Board of Elections staff to address any 
perceived issues that arise so that the November General Election can be conducted smoothly, as was the case 
with the August special election.” 



432 


Election Officials Pleased 
Electronic Machines Found Reliable 

August 23, 2006 CONTACT; Aaron Ockerman 

FOR IMMEDIATE RELEASE (614) 581-8238 

COLUMBUS, OH- After the results of an audit of the Cuyahoga County primary were 
found to be faulty, election officials around Ohio again sought to assure their voters that 
their votes will be counted. 

“As we had stated previously, the audit in Cuyahoga County provided no reason for 
voters to question the integrity of their elections process or the machines that record their 
votes,” said Steve Harsman, President of the Ohio Association of Election Officials 
(OAEO). “Those of us who do this for a living knew immediately that something was 
wrong with the study, and it disheartened us that so many people used it as an excuse to 
try and erode the public’s trust in our elections system,” he continued. 

After vendors and election officials were brought in to discuss the findings of the study 
which cast aspersions on the safety of the voting equipment, many gaps were found in the 
results. Claims that vote totals on memory cards did not match up to vote totals on paper 
trails were found to be untrue. After further analysis, it was proven that no votes were 
lost, and other than minor problems with paper jams, the equipment performed as 
expected. 

Jeff Matthews, past president of the OAEO, attributed poor execution of the audit for the 
problems. “Unfortunately, ESI either didn’t know how Ohio’s elections systems worked, 
or chose to ignore their own people who tried to advise them of it. Their methodology 
was flawed, their execution was poor, and their results and conclusions suffered as a 
result. The real losers of this non-accredited agency’s debacle are the voters of Ohio who 
were given false conclusions and made to believe that their elections are unsafe.” 

More than 40 Ohio counties have now used electronic voting equipment in elections, and 
most counties have had a smooth conversion from their old equipment. While no 
transition of this magnitude unfolds without problems, all parties seem to be moving 
forward without major incident. Voters appreciate the ease of use of the new machines, 
and election officials continue to gain experience and expertise with their new equipment. 

Harsman added that his own experience in Montgomery County validates that the new 
voting technology does work. “My staff has worked 18 hour days seven days a week to 
prepare for our elections, and the results have been fantastic. With proper training, solid 
processes, and a little elbow grease on our part, Ohio’s elections can continue to be top 
notch,” he stated. “I think the bottom line of this whole mess is that the problems 
experienced in Cuyahoga County are fixable and isolated. Attempts to use their 
experience to condemn the entire state just don’t hold water,” he concluded. 



433 


The Ohio Association of Election Officials is a bipartisan organization representing the 
members of Ohio’s 88 county boards of elections, their directors and deputy directors. 

O AEO is a professional organization dedicated to the training and education of its 
members, thus ensuring fair and accurate elections for all Ohioans. Steve Harsman, 
President of the OAEO, is director of the Montgomery County Board of Elections. Jeff 
Matthews, past president of the OAEO, is Director of the Stark County Board of 
Elections. 

- 30 - 



434 


From: Rebecca Mercuri, Ph.D. 

To; The U.S. Congressional Committee on House Administration 
Subject: Electronic Voting Machines: Verification, Security and Paper Trails 
Date: October 4, 2006 

I am submitting this comment on the subject of “Electronic Voting Machines: 
Verification, Security and Paper Trails” with the request that it be added to the record of 
the hearing held on September 28, 2006 by the Committee on House Administration. 

I, Rebecca Mercuri, am the President and Chief Technology Officer of Notable Software, 
Inc., of Mercer County, New Jersey, a computer consulting firm I founded in 1981. 1 
have been researching electronic balloting systems since 1989, and defended ray Doctoral 
Dissertation, entitled “Electronic Vote Tabulation; Checks & Balances,” at the University 
of Pennsylvania’s School of Engineering and Applied Sciences, on October 27, 2000. In 
addition to my Ph.D., I have two Master’s degrees and a Bachelor’s degree in Computer 
Science and Engineering. During 2003-2005 I held fellowship positions at Harvard 
University, first at the John F. Kennedy School of Government, and then at the Radcliffe 
Institute for Advanced Study. I am the sole author or primary co-author of over 40 
published technical papers, nearly half of which have pertained to electronic balloting or 
vote tabulation. My writings on this subject have been cited in the U.S. Congressional 
Record and on the floor of the Irish Parliament. I have also delivered comments upon 
request to the U.S. House Science Committee, the U.S. Commission on Civil Rights, the 
U.K. Cabinet’s Office of the e-Envoy, the Federal Election Commission, the U.S. 
General Accounting Office, State Legislative Committees in Connecticut, Pennsylvania 
and North Carolina, the New York State Board of Elections, and numerous municipal 
boards. I have had a direct role in influencing the wording pertaining to paper ballot 
records that appears in the Help America Vote Act (HAVA) and many state election 
laws. I served for three years as a member of the Institute for Electrical and Electronics 
Engineers’ working group that provided material incorporated into the Election 
Assistance Commission’s 2005 voting system guidelines. Some of the activities that I 
have performed during the course of my investigations and research have included: 
casting sample votes on a wide range of balloting systems (including use of accessibility 
features), attending detailed briefings on the operation and set-up of this equipment, 
communicating with numerous election company officials, technical and sales personnel, 
and reviewing equipment certification reports from various states. 

When I appeared before the U.S. House Science Committee at their May 22, 2001 
Hearing on “Improving Voting Technology; The Role of Standards,” among my 
statements was the following: 

“To date, no electronic voting system has been certified to even the lowest 
level of the U.S. government or international computer security standards 
(such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor 
has any been required to comply with such. No voting system vendor has 
voluntarily complied with these standards (although voluntary compliance 
occurs within other industries, such as health care and banking), despite 



435 


the fact that most have been made aware of their existence and utility in 
secure product development.” 

Over 5 years later, the above statement continues to remain true. Electronic voting 
systems are less secure and less reliable than any computer-based systems that are 
deployed in applications where auditability is mandated by law. Why this is so, is (at 
least in part) because of certain loopholes in the Federal Voluntary Voting System 
Guidelines (VVSG) that first appeared in the Federal Election Commission (FEC) 
document set, and were perpetuated into the FEC 2002 and EAC/HAVA 2005 sets, 
despite vigorous and increasing protest by the scientific and engineering community. 

In particular, all versions of the VVSG specify a Mean Time Between Failures (MTBF) 
rate that allows for many equipment malfunctions during election day to be deemed 
“within specifications” even when they affect up to 10% of the voting units. Such 
malfunctions can result in voter disenfranchisement, as we have recently seen in 
Maryland and elsewhere. This astonishing inadequacy (publicly noted by Dr. Stanley 
Klein to the EAC in 2004) explains why Cuyahoga County Ohio may have experienced a 
10% rate of failure with their Voter Verified Paper Audit Trail (VVPAT), and also why 
their vendor has not been held accountable for such poor performance. In this day and 
age, there is absolutely nothing that constitutes rocket science when it comes to printing 
information on pieces of paper in a reliable fashion. For example, the Diebold company 
manages to successfully print millions of pieces of paper each day, at their Automated 
Teller Machines located around the globe. As well, in 4/5 of the U.S. States, millions of 
lottery tickets are successfully printed, in a secure and anonymous fashion, every single 
day. But when it comes to voting, instead of using reliable paper printers that can perform 
a “cut and drop” action following ballot review by the voter, all of the major election 
system vendors have deliberately chosen to implement VVPATs by using flimsy reel-to- 
reel paper that violates voter privacy in addition to failing at the rate “deemed allowable” 
by the Federal standards. It is my belief that this “design for failure” of the VVPATs has 
been intentionally and deliberately used to undermine the numerous state laws that have 
been enacted in this regard, and to enable such anti-VVPAT showboating as was 
displayed by some of the panelists at your hearing on September 28*. 

Certainly, Direct Recording Electronic (DRE) voting machines do not have to produce 
VVPATs on long, thin strips of thermal paper. The VVPAT could take the form of a 
Voter Verified Paper Ballot (VVPB), such as the optically scanned ballots, used by 60% 
of U.S. counties and an increasing number of “absentee” voters. The AutoMark 
<http://www.vogueelection.com/products_automark.html> is one such product that 
allows a full range of disability access in the private preparation of an optically scanned 
paper ballot that is essentially the same as those prepared manually by voters who do not 
require computer assistance. The Vote-PAD <http;//www.vote-pad.us/> is a mechanical 
system that also allows disabled voters to privately prepare an optically scannable VVPB. 

Another area of great concern involves the security vulnerabilities of computer 
equipment used in ballot preparation and vote tabulation. Here again, the federal agencies 
responsible for creating voting system guidelines have continued to perpetuate a loophole 



436 


that poses a serious risk, that of the blanket exemption from inspection for Commercial- 
Off-The-Shelf (COTS) software and hardware. As 1, and colleagues Vince Lipsio and 
Beth Feehan, wrote in an article to appear in the November 2006 Communications of the 
Association for Computing Machinery; 

“This loophole is anathema to security or integrity. In other critical 
computer-based devices (e.g., medical electronics or aviation) COTS 
components may be unit tested a single time for use in multiple products, 
with COTS software typically integration tested and its source code 
required for review to ensure that it is indeed unmodified. In contrast, for 
voting equipment, this blanket inspiection exemption persists, despite 
having strenuously been protested by numerous scientists, especially in the 
construction of guidelines authorized by the Help America Vote Act 
(HAVA). Nevertheless, special interests have prevailed in perpetuating 
this serious backdoor in the advisory documents used for the nation’s 
voting system testing and certification programs.” 

Another massive security loophole that is allowed by the EAC/HAVA voting system 
guidelines involves the use of telecommunications devices to provide access to critical 
data for voter authentication, ballot definition, vote transmission, vote count, and voter 
lists. Although Dr. Felten has demonstrated that computer viruses can be transferred to 
voting equipment even when network connectivity is not present, the EAC showed an 
astonishing lack of discretion when it authorized that voting systems could be connected 
“across a broad range of technologies, including, but not limited to; wireless, microwave, 
public telecommunications lines, and communications routers.” I informed the EAC on 
September 30, 2005 that “all such channels are not only highly vulnerable but provide 
avenues for insider as well as extensive outsider exposure to the election data and also 
potential access to the object code versions of the software running within the balloting 
and vote tabulation equipment. There is absolutely nothing in the standard that provides 
any real confidence or confirmation that accuracy, durability, reliability, availability, and 
integrity can be maintained for voting systems interfaced to telecommunications 
environments.” This is especially true where there is no means provided whereby voters 
and election officials can independently verify the correctness of electronically recorded 
ballots and their subsequent vote totals. Nevertheless, the EAC has deemed that this 
serious connectivity risk may persist. 

As flawed as the 2005 EAC standards are, they are still an improvement over the earlier 
FEC ones that ignored making any implementation recommendations regarding 
VVPATs. Since the EAC standards were also issued late, absolutely none of the $3B in 
HAVA funds will have been spent on “HAVA certified” equipment. Instead, these 
purchases were made for 2002 and even 1990 certified systems, some of which also fail 
to adequately satisfy the HAVA disability requirements. As early as 2003, 1 was publicly 
calling for a moratorium on all DRE purchases for these reasons. Although the EAC 
granted an extension for submission of the HAVA state plans, and could have (with the 
cooperation of Congress) similarly authorized an extension for the equipment purchases 
until the HAVA voting products were certified and available, this was not done. As 
Chairman Vernon Ehlers correctly noted in his closing remarks to this panel, and as I 



437 


have also often said, it is unfortunate that the “cart was placed before the horse” in not 
requiring that adequate standards were fully in place before the funds were allocated. The 
result is that the vendors have received a cash bonanza to, in effect, move their “used cars 
off of the lot,” so to speak. Some years down the road, when the new equipment models 
arrive, no HAVA funds will be left to be spent on them. Nor will any Federal funds be 
available to compensate communities for replacement of the malfunctioning and 
inadequate equipment that has, unfortunately and unwisely, been purchased under the 
HAVA program. 

The EAC needs to immediately close the aforementioned loopholes that exist in the 
voting system guidelines. This can best occur if the voices of scientists (such as myself) 
who have made extensive contributions to the understanding and deployment of verified 
voting technologies, and members of the disability community who are not opposed to 
VVPATs, can be heard. The current exclusionary practices, especially those that display 
vendor influence and bias, in these official discussion forums must be ceased. 

It is not too late to provide all citizens of the United States with the ability to 
independently verify that the ballots they cast in the 2008 Presidential election have been 
recorded as they intended. And it is not too late to provide all election officials with 
voting systems that enable efficient and proper audits of election results without the use 
of computers. Presently, this is only possible with paper. For now (November 2006 
through 2008’s election cycles), the only appropriate recommendation that can be made 
is to allow communities that had obtained the DRE systems to instead provide their 
paper-based “absentee” ballots for use by all voters, throughout the precincts. In the 
future, voting system vendors should be encouraged to augment such paper-based 
systems with additional security controls that improve the detection of ballot alteration or 
removal attempts. America need not fear that a return to paper-based voting will cause us 
to be looked upon as Luddites, rather it should focus its attention on providing the best 
election technology in the world. The current crop of DRE voting machines simply do 
not fit the bill and should be withdrawn from use. 

Respectfully submitted. 


Rebecca Mercuri, Ph.D. 
Mercer County, New Jersey 
mercuri @ acm.org 
609/587-1886 



438 



I Common Cause 


Sept. 28, 2006 


Statement of Chellie Pingree, 

President, Common Cause 

Common Cause strongly supports H.R. 550, the Voter Confidence and Increased 
Accessibility Act of 2005, that would require electronic voting machines to produce a 
voter- verifiable paper ballot. 

The voting debacle in the recent Maryland primary makes clear that electronic voting 
machines are not ready for the critical task of casting and counting votes. But of the 
many problems in our system of voting, this one is fixable. Congress can move 
quickly to pass H.R. 550 and require a voter verifiable paper ballot with mandatory 
random audits for electronic voting machines and help restore voters’ faith in our 
elections system. 

Since 2003, when Representative Rush Holt (D-NJ) first introduced H.R. 550, 
computer security experts have almost unanimously endorsed his plan for requiring 
every voting machine in the United States to produce or incorporate a paper record of 
each voter’s ballot that can be checked and verified by that voter, and used in 
subsequent recounts and audits. 

Election experts, civil rights activists and citizens concerned about their vote have come 
to recognize the need for these requirements as election after election in state after state 
has demonstrated all too clearly the probability of voting machine malfunction. 

In the past three years, a large body of research by government, academic, and corporate 
entities has confirmed the problems with paperless voting and has reiterated the need for 
voter-verified paper records and mandatory random audits. Today, 215 co-sponsors — 
Democratic, Republican, and Independent — stand with Representative Holt to support 
this legislation. 


Now, it is time for Congress to act. 





439 


Testimony of Mr. Larry W. Holmstrom 
Chief Executive Officer of TruVote International, Inc. 

Leading Our Nation to Transparent Elections 

Congresswomen and Congressmen; 

It is with great pleasure I present this testimony to the committee concerning electronic 
voting equipment. 

TruVote was formed in 2000 following the “hanging chad” election where many voters 
were disenfranchised due to the operation and use of our voting machines. TruVote was 
organized to provide solutions to this problem with the mission to insure: 

Every vote counts; 

Every vote is counted; 

Every vote accurately represents the intention of the voter; 

The voting public has confidence in the electoral system; 

The paper record, certified by the voter, is the legal representation of the vote; 
Electronic records can be audited with access to the paper ballots; 

Elections are accurate. 

TruVote International believes the public should have confidence in the United States 
electoral process. HAVA was enacted in 2002 with the objective to upgrade voting 
machines and to provide assistance and guidance to the states for fair and accurate 
elections and to increase voter confidence in the electoral process. The resulting 
implementation has not achieved these goals. The dominance of electronic voting 
machines by one or two vendors, coupled with poorly engineered systems, lack of 
consideration for accuracy, and arrogant company policies has resulted in HAVA funded 
equipment that does not meet the expectations of the voting public. 

The responsibility for election accuracy has been moved from the public domain to the 
domain of a private company. For example, one vendor, in their response to a state RFP 
responded: 


"... How does the proposed system manage recounts and verify that the ballots 
accurately reflect the votes cast?... 

RESPONSE: This response is TRADE SECRET AND CONFIDENTIAL” 

TruVote believes the United States elections should never considered private 
property; they belong to the public. Voting systems should be open and 


1 



440 


transparent. Public confidence is an important foundation for our democratic 
processes. 

Electronic voting machines are important to provide the convenience and accuracy 
desired by the voting public. Electronic voting machines provide the ability to present to 
the voter, a correct ballot face and assist them in making accurate and complete race 
selections. With today’s electronic voting systems, the accuracy of the voter’s selections 
are suspect without the ability to audit and subject to errors and potential malfeasance. 

In contrast, the United States public uses electronic machines to successfully and 
accurately record over 100 million financial transaction daily. Electronic voting 
machines need to be held to this standard. 

Key to successful and accurate financial transactions is the generation of a paper receipt. 
The paper receipt is certified and retained by the purchaser as proof of the transaction. 
This receipt, reviewed and certified at the time of purchase, is the legal transaction 
record. An electronic record of the transaction is also created for efficiency in 
accounting, but the paper record remains the legal record. If any inaccuracy of the 
electronic report of the transaction is suspected, the legal paper record is used to correct 
the transaction. We need the same processes for our electronic voting. 

The focus of the electronic voting system should be the paper ballot. This paper ballot, as 
certified by the voter, should be the legal record of the vote. Electronic voting machines 
should make a corresponding electronic record of the vote and have efficient tallies and 
tabulations, but the paper ballot remains the legal record. The focus should be the 
paper record, not the electronic record. 

This is not the case with current HAVA implementations. The term VVPAT - Voter 
Verified Paper Audit Trail ~ suggests the paper record is not the legal record but is to be 
used for audit purposes. The correct focus should be a Voter Verified Paper Ballot 
reflecting the paper ballot as the legal record of the vote. 

The voter should be issued a receipt reflecting his or her successful voting. While it is 
not legal to issue a voter an actual copy of their ballot selections due to potential election 
fraud, the receipt should link to the paper and electronic records of the ballot selections. 
The voter should be able to confirm that his or her vote has indeed been counted and an 
audit can be or has been performed confirming the match of both the paper and electronic 
records. 

A unique identifier should be required linking the paper and electronic records. The 2005 
Voluntary Voting System Guidelines. Volume I, page 131 in discussing the requirements 
for voter verified paper audit trails (VVPAT) states: 

“The multiple cast vote records are linked to their corresponding audit records by 
including a unique identifier within each record.” 


2 



441 


In addition, audit and verification should be part of the election process. The 2005 
Guidelines states in section 7.9.3(g): 

“The paper record shall be created sueh that its contents are machine readable” 

These standards have not been met. While voting jurisdictions have mandated VVPAT 
capability on their voting systems and the dominant equipment vendors have claimed 
“VVPAT capability”, they have not implemented these and other features of the standard. 

If we held electronic voting machines and their use to the same standards that we expect 
with electronic transaction recording machines, we will restore the public confidence in 
our electoral process. I would like to suggest several steps Congress might consider to 
make this a reality. 

1 . Congress should mandate that the paper record is the legal record of the vote. The 
voter certifies this record accurately represents his or her selections before the 
vote is cast. The focus of the electronic voting machine is to assist the voter in 
creating a certified, paper record of the vote. 

2. Electronic voting machines should also create an electronic record of the vote to 
be used efficient for tallies and tabulations. 

3. The electronic record and the paper record should be linked with a unique 
identifier. 

4. The voter should be issued a receipt indicating that he or she voted and be given 
the linking identifier to his or her voting record. The voter should be able to 
confirm that indeed his or her vote has been counted and has been audited while 
not being given access to the record details. 

5. Paper records of the vote should be easily and accurately machine readable in 
order to provide efficient audits and validation. 

6. Electronic voting machines and voting processes should be re-engineered to 
insure that all voting records are accounted for and human error is minimized. 

7. As a check and balance, electronic voting system hardware and software should 
not be provided by a single vendor. 

8. Electronic voting system hardware vendors must publicly disclose all internal and 
external interfaces of their systems. 

9. All voting system software should be “open source” and available for public 
review. 


3 



442 


10. Copyright and intellectual property protection should be available to rigorously 
protect voting systems software. 

1 1 . All existing electronic voting systems should be upgraded with software and 
systems that meet the above criteria. Congress should provide funds for this 
upgrade. 

TruVote intends to provide software and voting systems which meet these requirements. 

Thank your for the opportunity to present this information to you. 

Larry W. Holmstrom 



443 


feri fied voting . o rg 


October 3, 2006 


Voter Verified Paper Ballots: Seat belts for Election Safety 

Verified Voting's Testimony for the Committee on House Administration's hearings on 
Electronic voting machines: verification, security, and paper records 

ABSTRACT 

Secure, reliable, usable, accessible , and verifiable voting systems are critical to ensure accurate, 
transparent, fair, and inclusive elections. A number of states and local jurisdictions have deployed 
systems that meet all of these goals, but others have had substantial problems, particularly with 
Direct Recording Electronic (DRE) touchscreen systems. There is overwhelming evidence that 
currently-deployed DRE voting systems suffer from security vulnerabilities, reliability problems, 
and usability issues that put the integrity of our elections at risk and erode public confidence in 
election results. Procedural solutions that only address the physical security of voting machines are 
inadequate to protect against these risks. 

As the experience of many states and local jurisdictions has demonstrated, the only effective voting 
solution available today is a system of voter-verified paper ballots (such as precinct-based optical 
scan voting systems combined with accessible ballot marking devices), that are used to conduct 
compulsory manual audits of electronic tabulations. Some touchscreen systems that produce 
individual ballots as well as accessibility for voters who are disabled or do not speak English have 
proven to be useful supplements to optical scan systems, but poorly-designed and crudely-built 
voter-verifiable paper audit trail (VVPAT) DRE printers that are unreliable have put requirements 
for voter-verified paper audit trails into question. 

As a result of failures in paperless DRE voting technology, significant numbers of eligible voters 
have already been denied their right to vote, e.g., because they were turned away from their polling 
place because of inoperative voting machines. Failures in VVPAT technology have meant such 
machines failed to properly record votes that were correctly cast. As a result, some election results 
have been compromised due to such failures of DRE technology - failures that could have been 
prevented had computer scientists' earlier warnings been heeded. 

In light of the very serious security, reliability, usability, and verifiability problems with recently- 
deployed, HAVA-mandated voting systems that have become apparent during subsequent elections 
in a number of States, it is time for Congress to revisit HAVA and enact legislation to ensure that all 
voting systems enable eligible voters to cast their votes and have those votes counted in a manner 
that is secure, accurate, verifiable, accessible, and reliable. Any updates to HAVA must also ensure 
end-to-end transparency so that all aspects of the voting process are open to and observable by the 
public, from the testing and certification of machines through the final tabulation and canvass of the 
ballots. Voter confidence in our electoral process will only be restored if citizens are able to monitor 
and verify the process by which election re.sults are reached. 

Durable paper ballot records are like seat belts. We need to use them to prevent serious injuries to 
our democratic system when inevitable and sometimes serious incidents occur. Just as some early 


1 



444 


seatbelt technology was awkward to use, the answer is not to throw out seat belt requirements, but 
rather to improve seat belt technology and legislation. 

Most Voting Experts and Advocates Share Many Goals In Common 

Although different voting experts, advocacy groups, and public officials differ on what voting 
equipment can best meet the our needs for accurate, reliable, secure, accessible, and transparent 
elections in the United States, most of us share a number of fundamental goals, including: 

- accuracy: voting equipment should faithfully record and preserve the voting intentions of 
individual voters and minimize the numbers of votes lost; 

- verifiability: all voters must have the opportunity to verify that their votes have been 
recorded correctly; 

- fairness: voting equipment and procedures must not favor any particular candidate, party, or 
group nor exclude any eligible voters from casting a ballot; 

- reliability: voting equipment and procedures must be sufficiently robust that breakdowns are 
rare, maintenance and upgrades relatively easy, and failures do not result in keeping voters 
from voting; 

- usability: voting equipment must be easy for poll workers to set up and operate and for 
voters to use - even poll workers and voters who are not experienced with computers; 

- accessibility: voters should be able to vote independently and in private 
trustworthiness: voting equipment and procedures must be sufficiently transparent that both 
experts and the general public can have verifiable confidence that each stage of the election 
process has minimized the possibilities of fraud and error. 

These are not mutually exclusive goals; they can be achieved through careful selection of voting 
technologies. 

It has repeatedly been said that the States are the laboratories of our democracy. The last four years 
(i.e., from the enactment of the Help America Vote Act to the present) represent a national 
experiment in which thousands of jurisdictions have evaluated which voting technology will best 
achieve these goals. Now that most jurisdictions have completed that process, it is instructive to 
review the results from those "laboratories”. 

A Clear Majority: Optical Scan Paper Ballots 

As a recent report from Election Data Services (EDS 2 Oct 2006) documents, many states and local 
jurisdictions have adopted new voting technology in the past four years since HAVA made federal 
funding available for that purpose. Lever, punch card, and paper-only systems have been almost 
completely replaced by optical scan and direct recording electronic (DRE) touchscreen equipment. 

From November 2000 to November 2006, the EDS study estimates that the number of counties 
using Optical Scan equipment increased from 1,279 to 1,752 (41% to 56%), and the number of 
counties primarily using DRE technology) increased from 309 to 1,142 (10% to 37%). In terms of 
estimated registered voters, 84 million (49%) are in jurisdictions that will use optical scan 
technology and nearly 66 million (38%) are in jurisdictions that will use DREs in the November 
2006 elections, (for the full report, see http;//www.edssurvey.com/files/NR_VoteEquip_Nov- 
2006 wT ables .pdf) 


2 



445 


Thus, a clear majority of jurisdictions have chosen to deploy optical scan paper ballot systems, and 
some states* have successfully used this technology for over 20 years. In addition, some states (e.g., 
Alabama, New Mexico and Michigan^) which had previously deployed DRE voting machines in 
some counties decided to retire those machines and convert to a precinct-count optical scan (PCOS) 
voting system statewide. And Connecticut, which had previously planned to replace its lever 
machines entirely with DREs has abandoned that plan and instead will deploy PCOS technology 
statewide. 

These jurisdictions have realized that PCOS technology offers many advantages over DREs, 
including: 

1 . All voters use the same ballot, regardless of whether they vote absentee or in-precinct, 

2. PCOS is scalable: only one scanner is needed per precinct regardless of number of voters, so 
long lines are rare, 

3. Optical scan is a mature technology used reliably for over 20 years. 

4. Optical scan paper ballots are inherently voter-verifiable and don't require VVPAT printers. 

5. In the case of recounts or manual audits, optical scan paper ballots are much easier to hand-count 
than continuous-roll paper tapes printed by VVPAT printers attached to DREs. 

A Clear Majority: Voter-Verified Paper Record^ Requirements 

There is widespread popular support for voter-verifiable paper ballots as the simplest, easiest, and 
most cost-effective way to maintain and improve the quality of our elections. To date, 28 states'* 
have passed voter-verified paper record requirements, and another eight states^ are deploying voter- 
verifiable equipment statewide, through their recent HAVA purchases. Thus 36 states (over 70%) 
have concluded that systems providing voter-verifiable paper records are necessary for trustworthy 
elections. 

In addition, VVPR legislation has been introduced in several other states and the legislatures of 
several pivotal states have come very close to enacting VVPR requirements recently.' That those 
bills have not yet passed has more to do with fiscal concerns or political maneuverings of a few 
powerful committee chairs. 

Thirteen states have already explicitly required mandatory audits of the voter-verified paper 
records.* 


' http://www.tulsawQrld.com/ODinioiiSiorv.a.sD?lP=061001 Op 06 S]iiipl24546 
' http://www.iTuchigan.gov/documenls/Unifonn Voting System 2 71047 7.pdf 2003 
“ It is important to note that voter-verified paper records (VVPR) are not limited to voter-verified paper audit trails 
(VVPAT) attached to direct recording electronic (DRE) voting machines. The broader term includes paper ballot-based 
systems such as the precinct-count optical scan used in more jurisdictions nationwide than any other system. Paper 
ballots, marked by the voter, are inherently voter-verified. 

Before 2000, NH and SD had statutes requiring paper ballots. IL, MI and NV passed voter-verified paper record 
requirements before the end of 2003. In 2004, AK, CA, ME, MO and OH added requirements, and NV became the first 
state to fully implement VVPAT with DREs. Details at: htlD://verifiedvoiing.org/article.php?list=tvpe&tvpe=!l 3#st3tc 
’ AL, MA, MS, ND, NE, OK, RI, WY 

‘ Twelve states and the District of Columbia have introduced and/or are currently considering a VVPR requirement. 

E.g. Magland, where this year such legislation passed unanimously in one chamber but was denied a meaningful 
hearing in the other, despite urging by the Governor; Iowa , where the bill passed unanimously in one chamber but was 
attached to un-passable language in the other; Tennessee , where a legislative study committee is set to review the 
matter; Virginia, where strong bi-partisan bills were tabled due to budget issues, but not rejected. 

* httD://verifiedvotine.ore/downloads/ManiialAudils-06-06.Ddf 


3 



446 


Several bills’ in the U.S. House of Representatives would require voter- verified paper records 
(VVPR), of which H.R, 550 is the clear leader with 219 bi-partisan co-sponsors; it also provides the 
most comprehensive and effective solution. A majority of Members of the U.S. House of 
Representatives are on record as supporting this bill, while an even larger majority are on record as 
supporting legislation to enact a VVPR requirement for all voting systems used in federal elections. 

Earlier this year, the US League of Women Voters passed a resolution in support of the use of 
voter- verifiable paper ballots/records for routine audits, and decrying the lack of a recountable audit 
trail in “paperless” electronic voting systems.'® It is time for legislators and elections officials to 
discard the discredited assertion that non-voter-verifiable records (be they invisible electronic 
records or paper reprints of those records) are acceptable for audits of vote tallies from electronic 
voting systems. 

DREs Without Independent Verification Are Inherently Insecure 

Many flaws in the security design of DREs have been discovered over the last three years, as 
described below. However, these .serious problems are all described in the context of external 
attacks, by people who do not have legitimate access to the voting machine internals. 

It is crucial to note that there are many people with legitimate access to voting machine internals, 
who are capable of perpetrating "insider attacks," and that current technology allows no direct way 
to prevent or even detect such attacks by certifying the system design or software. The only 
feasible solution is to have an independent way of checking the results recorded by the machine. 

The only acceptable solution that is currently available and certified is a paper record of the vote 
that the voter can verify for correctness before the vote is cast. This enables an independent check, 
since the paper records can be manually counted and compared with the electronic results. If there 
is an error on the paper record, the voter can see it and report and correct it. If there is an error in 
the electronic record, it can be caught because it will disagree with the paper record. 

There are a variety of other proposed methods for independent verification, including end-to-end 
cryptographic systems, audio-tape copies of the ballots, and photographs of computer screens. 

Most of these schemes are not currently available and certified. Those that are certified are too 
complex for voters and poll workers to understand, or have other gross deficiencies. 

The possible existence of paperless independent verification in the future is neither a rationale nor 
an excuse for purchasing or using totally insecure and untrustworthy paperless technology now. 


DRE Security Problems Have Been Documented Extensively 

In contrast to optical scan technology, paperless DRE technology suffers from a number of severe 
problems, including security, usability, reliability, and trustworthiness. Over the past 3 years, a 
number of in-depth studies of voting system security have been published, and each one has 


’httD://www. veriFieiivoliiig.org/legis 
hltD://www.veririedvotingfoundaIion.org/articie.phD?ich=6.t63 


4 





447 


identified extremely serious security vulnerabilities involving paperless' ‘ electronic voting systems 
- vulnerabilities that pose grave risks for our electoral system. These studies include: 

1, "Analysis of an Electronic Voting System", Tadayoshi Kohno, Adam Stubblefield, and Avi 
Rubin, Johns Hopkins University and Dan Wallach, Rice University, July 2003.'^ 

2, “Risk Assessment Report Diebold AccuVote-TS Voting System and Processes ”, Science 
Applications International Corporation, September 2003, (An official report commissioned by 
the State of Maryland),'^ 

3, "Direct Recording Electronic (DRE) Technical Security Assessment Report", Compuware 
Corporation, November 2003 (An official report commissioned by Ohio’s Secretary of State)'"* 

4, "Trusted Agent Report Diebold AccuVote-TS Voting System", RABA Innovative Solution Cell 
(Rise), Dr, Michael A, Wertheimer'^ Director, January 2004, (An official report commissioned 
by the State of Maryland),'* 

5, “Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under 
Way, but Key Activities Need to Be Completed” (GAO-05-956)”, GAO, October 2005,'^ 

6, "Security Analysis of the Diebold AccuBasic Interpreter ", Dr, David Wagner, Dr, David 
Jefferson, Dr, Matt Bishop, California State Voting Systems Technology Assessment Advisory 
Board, February 2006. (An official report commissioned by the Secretary of State of 
California).'* 

7, "Diebold TSx Evaluation: Critical Security Issues with Diebold TSx", Dr, Harri Hursti, Black 
Box Voting, May 2006. 

8, “The Machinery of Democracy: Protecting Elections in an Electronic World”, Lawrence Norden, 
et al.; Report of the Brennan Center’s Task Force on Voting System Security, June 2006'^° 

9, "Security Analysis of the Diebold AccuVote-TS Voting Machine”, Ariel J. Feldman, J. Alex 
Halderman, and Dr. Edward W, Felten, Center for Information Technology Policy and Dept, of 
Computer Science, Princeton University, September 2006. 

Many of these reports, especially those published this year, address critical security concerns related 
to the use of removable memory cards in electronic voting machines. (While problems with these 
cards are not the only security problems identified in these reports, they are among the most 
serious.) These memory cards are routinely used to transfer information from one machine to 
another, much like floppy disks were used in the first generation of personal computers. Examples 


"By "paperless electronic voting systems", we refer to those systems that do not produce a voter- 
verifiable paper ballot (VVPB) , hence systems that are "paper-less". While we acknowledge many 
existing DRE systems contain an internal printer used to print paper "zero tapes" prior to the 
opening of the polls and "summary tapes" once the polls are closed, we still refer to such machines 
as "paperless" unless such machines are also equipped with a printer that produces a VVPR. We 
use the term "paperless" rather than "VVPR-less" because it is more readable. 
https://www.cff.orii/Aclivisni/ E-votin^/2Q030724 evotc rc.scjfch report. pdf 
httP://www.veririedvoting.org/download.s/votinGsvstemrer>orthnai pdf 
http://www.sos..staie.oh.u.s/sos/hava/conlPuwarel l2103.Ddf 
” Dr. Wertheimer now serves as the Assistant Deputy Director and Chief Technology Officer in the Office of the 
Deputy Director of National Intelligence: htto://www.diu eov/press releases/20nsi0Tl release.htm . 

“ http://www.raba.com/Dress/TA Report AccuVole.ntlHt'.carch=''rahu report diebold". 
httP.'//www.vcrifiedvotinii.org/article.DhD?id=5826 

htlB;//www ss cj gov/eleclions/voting svstems/secuniv analysis of the diebold accubasic interpreter ndl 
http://wwvv blackbox voline.ora/BBVtsxstiidv ndf 
http://www brennancenter orp/progiams/downlo.uls/FuIl%20ReDort.ndf 
http://itpolicv.Drinceton.edu/voiine/ls-Daper.pdl 


5 



448 


of such usage include the authorized installation of certified software updates, the downloading of 
ballot formats for an upcoming election, or the uploading the votes cast by voters in an election that 
has just ended. Some of these operations are performed by poll workers, some by election officials, 
and others by technicians employed by the voting system vendor, presumably under the supervision 
of election officials. 

In all of the recent reports , various modes of attack are described by which an adversary who 
obtains unauthorized access to a removable memory card located in an electronic voting machine 
can corrupt the vote tallies and voting records produced by that machine. The first few of these 
reports focused on the potential for such unauthorized access to occur either while a voting machine 
was at, or in transit to or from, the polling place for an election. 


Vote-Stealing Code Can Be Spread By Virus-Infected Memory Cards 

The seriousness of DRE security vulnerability was recently documented in a September 2006 
publication of the security vulnerability study by the team of researchers at Princeton University led 
by Prof. Edward Felten. That study revealed (and demonstrated) a previously unexplored 
vulnerability posed by such removable memory cards: their ability to transmit a computer virus that 
spreads between voting machines and memory cards whenever the latter is plugged into the former. 
In this manner, a single infected card could introduce such a virus into a population of voting 
machines, many weeks or even months before an election. Over time, as unsuspecting elections 
officials moved memory cards between voting machines in the course of routine election activities 
(e.g., downloading ballot formats or uploading votes) , they could unknowingly spread the virus to 
more machines. As the Princeton team demonstrated, that virus could be used to introduce vote- 
stealing software onto all such infected machines. 

This discovery by the Princeton team invalidates an oft-repeated assertion by voting system vendors 
and other proponents of paperless electronic voting machines: that such machines are immune to 
computer viruses because they are never connected to the Internet. Just as humans can be infected 
with viruses in multiple ways, so can computers - and voting machines. Long before the Internet 
existed, computer viruses spread between early PC's via floppy disks moved from one machine to 
another, just as the removable memory cards are now moved between voting machines. 

Thus, even if, for the sake of argument, one assumes that effective mitigation procedures can be 
implemented in practice to prevent (or at least detect) any tampering with the removable memory 
card in a voting machine while it is at (or in transit to or from) the polling place, that does not 
ensure that that memory card or voting machine was not already infected, long before it was 
configured and secured (i.e., tamper-evident tape applied) in preparation for shipment to the polling 
place. Even more insidious is the fact that the memory card and/or machine might have been 
unknowing infected by an honest election official or poll worker in the course of routine and fully- 
authorized election-related activities performed by those individuals. Once a machine is infected, 
that infection can only be detected or disinfected by means of a very labor-intensive process 
conducted by a relatively-skilled technician. 

While the expert who identified the specific vulnerabilities described in the Princeton study was 
given access to that system to examine it (and justifiably so, given earlier revelations about poor 
security design in these systems), we have no way of knowing if or how many other persons with 
sufficient access (and ill intent) may have quietly uncovered these vulnerabilities earlier. 


6 



449 


Currently, tens of thousands of such vulnerable machines are deployed nationwide, and many of 
them have been deployed since 2002, i.e., fully four years before the publication of the Princeton 
study and the concerns it has now raised about the risk of such infections. Thus, many of those 
machines were in circulation tong before the mitigation procedures were issued by several states 
earlier this year. Accordingly, some of those machines may have been infected prior to the 
application of these mitigation procedures. Putting such mitigation procedures into effect at this 
late date may be about as effective a means of preventing infection as first starting to apply 
mosquito repellent several years after moving to a malaria-ridden region. 

It is currently unknown what fraction of vulnerable DRE machines and memory cards may already 
be infected with viruses of the type demonstrated in the Princeton study, and answering that 
question would require a costly and time-consuming forensic examination of all such machines and 
memory cards currently in circulation, as well as disinfection of any machines or cards found to be 
infected. And unless such disinfection is complete across all machines in a jurisdiction (or until 
such DREs are re-engineered to provide immunity to such viruses), disinfected cards or machines 
could become re-infected if exposed to any card or machine that was still infected. 

Unfortunately, most states have not ordered such examinations of their deployed DRE machines, 
either because they lack the resources to do so or they optimistically assume that no such infections 
have yet occurred. Based on the extensive spread of viruses throughout other forms of electronic 
technology (e.g., personal computers, cell phones, and even ATM machines^^), it seems both risky 
and naive to assume that no such viruses are already circulating among DRE voting machines 
whose inherent design places that at very high risk to such viruses. 

This problem cannot be solved in any practical sense by the application of tamper-evident tape or 
by applying, at this late date, strict chain of custody procedures for machines and memory cards 
which may already be infected. The only viable solution today is employ a system of voter-verified 
paper records that are checked via compulsory manual audits of those records. 

Physical Chain of Custody Is Not Sufficient 

In response to the alarm raised by those reports, a number of states (e.g., Ohio^^ and Florida^'*) 
issued advisory warnings recommending that local jurisdictions employ specific mitigation 
measures, including stricter procedures for monitoring the chain of custody for such voting systems 
as well as the use of serially-numbered tamper-evident tape to seal the access doors that cover the 
slots into which the removable memory cards are inserted. Some states, such as California, took 
stronger action, temporarily suspending or delaying certification of such voting systems and then 
certifying^’ those systems conditional on the strict application of such mitigation measures. 
Assuming that such measures could be counted on to prevent any unauthorized access to these 
vulnerable removable memory cards from occurring or going undetected, state election officials 
argued that these measures would be sufficient to eliminate the risks associated with these use of 
these cards. 


"Nachi worm infected Diebold ATMs", 
http.//wvvw theregisier CO iik/2003/1 l/25/nachi worm infected diebold aims/ 
http //www.sos.staie oh us 80/bOs/clcctionsvotcr/advisories/2006/Adv2()()6-03.ndf 
http://election.dos state tl us/pdt/memorandum pdt 
http://www, ss.ca.gov/eleciions/voting svstemb/cert tioc.pdf 


7 



450 


Unfortunately, while such mitigation measures seem like they should be effective in theory, strict 
enforcement of such measures has so far proven to be very difficult for poll workers and elections 
officials to carry out in an actual election environment. For example, during recent elections (e.g., 
California's June 2006 primary election or Maryland's September 2006 primary) in jurisdictions 
where such mitigation measures were required (e.g., San Diego County, CA or Baltimore County, 
MD), the actual effectiveness of such measures has been questionable at best. Poll workers in 
those jurisdictions have reported numerous problems with the tamper-evident tape, including: 

1. difficulty in determining when a tape has been tampered with, because the resulting change is 
appearance is hard to discern visually^^ 

2. having inadequate training to know whether a legitimate piece of tape has been removed and 
replaced by a counterfeit piece.^’ 

In addition, California's statewide requirement for maintaining a strict chain of custody for such 
electronic voting system conflicts with San Diego County's longstanding practice of sending such 
voting systems home with poll workers in the days or weeks preceding the election. As a result, 
such machines were left unattended and unsupervised for lengthy periods of time in poll workers' 
homes, garages, vehicles, or other potentially-insecure locations. Consequently, the state-imposed 
"chain of custody" requirement that was part of these mitigation measures was not strictly enforced, 
despite the fact that the State's certification of the voting system used in that county were 
conditional on the strict enforcement of that requirement. 

Thus, these sorts of mitigation measures that only address the physical security of voting 
machines(either while they are located at the polling place or are in transit to or from that location) 
are difficult to implement in practice, given the performance of the tamper-evident tape currently in 
use, the skill and training level of poll workers, and the currently-funded methods for distributing 
massive numbers (e.g., 10,000) of voting machines to large numbers (e.g., 1,500) of polling places 
in counties such as San Diego, California. Accordingly, such mitigation measures are inadequate to 
address the previously-documented security risks associated with the use of these removable 
memory cards. 

Although we entrust election procedures to our dedicated election officials and poll workers, we 
must ensure that the integrity of our elections never hinge on protocols so complex that they exceed 
their skills and training. And we must ensure that any mitigation procedures (implemented to 
address security vulnerabilities in voting systems) are not so fragile and intricate that they won't be 
strictly applied and enforced. 


Certification Procedures Are Woefully Inadequate 

It is important to be absolutely clear: the insecure paperless voting systems described here made it 
all the way through the existing federal certification process, despite the fact that these security 
vulnerabilities that were first mentioned in January 2004,^® and recently expanded upon.^^ No 
certification system, even improved over today’s systems, can catch all such vulnerabilities. 


iittp://avi-riibin b!oi£SPOt.com/2006/09/mv.dav-at-DotlH-marv!artd'Drimarv-06.html 
http://cha. house aov/hearings/Tc.stinionv asps '"TID=1 324 
http://www raha coni/pressyTA Repon AecuVotc.pdf 

.hltp://www.ss.ca.eov/elections/votine sysiems/securitv .analysis of the diebold accnbasic interpreter.ndf 
(California Secretary of State); and www.biackboxvoting.nri' 


8 



451 


Nor will a certification system catch ballot programming errors, since such programming is unique 
for each election and thus does not go through the certification process. Ballot programming errors 
(not uncommon, and generally representing honest mistakes rather than sinister plots) pose a very 
significant risk to the accuracy and verifiability of elections conducted on paperless DREs. Tighter 
certification systems will do nothing to protect against such risks. 


Paperless DRE Systems Are Neither Trustworthy Nor Fail-Safe 

Simply put, existing paperless DREs cannot be made trustworthy. No paper trail printed post- 
election, without the benefit of voters confirming that the document represents their intent, can 
change that. Neither can the application of tamper-evident security tape. The suggestion that a 
reprint of unverifiable electronic ballot images, never reviewed nor confirmed accurate by the 
voters, can be used to conduct a meaningful audit has been soundly and repeatedly discredited. 

Existing paperless DREs represent a system problem that cannot be resolved by procedures . 
Established organizations such as the Brennan Center have concluded that paperless DREs are not 
trustworthy^®, and the addition of VVPAT, audited to check machine tallies for accuracy, is the only 
way to make such systems trustworthy®'. One must change the system itself: deploy an independent 
paper record of voter intent, confirmed by the voter, to use as the audit document and the true 
record of the vote. 

Another critical function of voter- verified paper records, apart from security is that they provide a 
vital seat belt in case of accidents and other emergencies. VVPRs resolve the problems that occur 
when machine malfunctions result in lost electronic vote information, 

A voter-verified paper record printer, for example, would have resolved the problem in Carteret 
County, NC in 2004 when 4400 -h votes were irretrievably lost, affecting the outcome of a statewide 
race in which the margin was less than 2000.®® After that unfortunate (and costly) event, NC passed 
a voter-verified paper record law. Each election, new examples arise - either of situations where 
votes were irretrievably lost, but could have been recovered if a VVPR requirement were in place, 
or of problems discovered and resolved because VVPR systems were in place. 

A problem encountered with the scanner component of a paper ballot system need not result in lost 
votes. If the marked ballots are correctly managed, retained and recounted, votes can still be 
counted in a number of different ways. But a DRE which fails may lose these votes forever. 


U.S. GAO (see: http://www.verifiedvoting.ore/anicle.php?id=5826 ). Johns Hopkins Institute, Raba Trusted Agent 
Report for MD's legislature and the Brennan Center’s Task Force on Voting System Security: 
http://www.brenn.incenter,org/nrograms/downloads/Fnll%20Reporl.ndf 
Carter-Baker Commission (see hnp7/www,veritledvnting.org/article.php?id=5824 1. CA Voting Systems Technology 
Advisory Board, League of Women Voters (June 2006) 

” http://www.wral.coni/news/3891488/detail.html 

Testimony to the EAC from a Nevada election official regarding their initial implementation of VVPAT printers 
somewhat contradicts these concerns for one vendor’s design; he said it was relatively simple, in the particular system 
they u,sed, to change the printer cartridges and it could be done during the voting day with minimal interruption. 


9 



452 


DREs Require More Extensive Secure Baiiot Boxes 

A fundamental distinction between DREs and paper-based systems that is often overlooked 
involves both the transparency and number of ballot boxes associated with each type of system. 

And this distinction has a profound effect on the level, complexity, and effectiveness of the 
procedures that elections officials and poll workers must employ to ensure the security of the ballot 
boxes. 

In any voting system where ballots of record are paper (such as PCOS), each precinct has one (and 
only one) ballot box that is typically some sort of locked receptacle into which the optical scanner 
deposits the paper ballots after scanning them (or into which voters directly deposit their ballots in 
the case of a central-count optical scan or hand-counted paper ballot system). Security requirements 
for such ballot boxes are relatively simple. Prior to election day, the empty ballot box for each 
precinct requires no special security precautions because it not only contains nothing of value, it 
contains nothing at all. 

On the morning of election day, at the opening of the polls, there is a simple and publicly-visible 
and verifiable process by which poll workers, along with the first voter of the day, can confirm that 
the ballot box really is empty: they can open the lid, look inside, feel the inside with their hands, or 
perform whatever other reasonable means of physical inspection they care to employ to verify that 
that ballot box really is empty. Once so verified, the lid is closed and locked in place, and the first 
voter of the day permitted to deposit his or her ballot. From that point on, until that ballot box is 
transported to the tabulation facility and unlocked, that baiiot box is under the watchful eye of the 
all of the poll workers and observers at that polling place or at the tabulation facility. Once the 
canvass is completed, the ballot box is unlocked, emptied, and no longer requires that it be securely 
stored or access to it controlled and logged. Thus, each precinct requires only one such ballot box, 
and the security of that ballot box need only be monitored from the morning of election day until 
the completion of the canvass for that election. 

In a DRE-based system, each precinct has at least as many ballot boxes as it has DREs, since the 
removable memory card in each machine each constitutes a separate, electronic baiiot box. (In 
addition, each DRE has one or more redundant internal memories, each of which constitutes a 
"backup" electronic ballot box.) If the DREs and removable memory cards are always transported to 
and from the polling place as a sealed unit, then the number of distinct items for which "chain of 
custody logs" must be maintained is simply the number of DREs, whereas if they are transported in 
separate packages an even larger of items needs to be logged and tracked. 

In addition, the security requirements for these electronic ballot boxes (both the removable memory 
cards and the DRE machines with their redundant internal memories) are much more extensive than 
those for the ballot boxes used for paper ballots. Each electronic ballot box must be subject to 
strict security protocols and chain of custody procedures at all times, even between elections. 
Otherwise, if there is a lapse in such procedures and a malicious individual obtains even brief access 
to either a removable memory card or a DRE machine, the potential for infection exists. Once such 
an infected memory card or machine enters the equipment pool in a given jurisdiction, elections and 
poll workers can unknowingly spread that virus as cards are moved between machines during 
routine operations that occur either during or in-between elections. 

Unlike simple locked boxes that are used as ballot boxes for paper-based voting systems, poll 
workers and polling place observers have no direct method for verifying that any of the electronic 


10 



453 


ballot boxes deployed at a given precinct are indeed empty (or uninfected) on the morning of 
election day. The only method they have is to ask the DRE to print out a "zero tape"; in other words, 
the poll workers and observers can't verify for themselves that the electronic box is empty, they 
have to ask the DRE and take its word. As Dr. Felten's demonstration illustrates in such a 
compelling way, if the DRE or its memory card is infected with a virus carrying a vote-stealing 
payload, then the "zero tape" printed by the DRE has little meaning. Further, some systems' 
software allows for the retroactive printing of a “zero tape” - well after voters have begun casting 
votes on the device - rendering it essentially meaningless. 

In summary, systems which have a paper ballot of record impose a considerably lower security 
burden on elections officials and poll workers, because only one ballot box is needed per precinct, 
and it only needs to be secured from the start of the election until the end of the canvass for that 
election. In addition, it provides poll workers a direct and transparent means of verifying that the 
ballot box is empty at the start of the election. In contrast, a DRE system imposes a much higher 
security burden, because multiple (electronic) ballot boxes are needed per precinct and those need to 
be secured at all times. Furthermore, those electronic ballot boxes are opaque and poll workers 
have no direct means of verifying at the start of the election that they are either empty or uninfected. 


Thermal Paper Rolls Are Not Adequate For VVPR 

While many of the security and verifiability problems with DREs can be addressed by the addition 
of voter-verifiable paper record (also referred to as voter-verified paper audit trail, or VVPAT) 
printers, to date, the reliability and overall performance of such printers has been mixed. While 
elections officials from Nevada (the first state to deploy VVPAT printers) have testified to the EAC 
that such printers have performed well since their introduction in 2004, other jurisdictions, such as 
Cuyahoga County, Ohio, reported significant problems with their VVPAT printers during the 
primary elections of 2006, Accordingly, significantly better designs and operational procedures for 
such printers must be developed to address the serious reliability concerns that were raised in 
Cuyahoga County. In addition, printers that fail to perform reliably once deployed should have 
their certification suspended until such reliability problems are resolved. 

In addition, VVPAT printers that print onto rolls of thermal paper present additional problems. 

First, they potentially compromise ballot secrecy, because votes are recorded onto the paper roll in 
the same order in which ballots are east. Someone keeping track of the order in which specific 
voters cast their votes on particular machines could then deduce from such paper rolls how those 
voters had cast their votes. Second, in the case of a recount or manual audit, it is cumbersome and 
time-consuming for election officials to hand count votes recorded on such rolls of paper, especially 
given that such paper may be relatively thin and can potentially be damaged during the handling 
that would occur during such recounts or audits. 

For all these reasons, such thermal roll paper VVPAT printers represent 
a poor method for enabling DRE voting machines to produce a voter- 
verified paper record. However, such printers represent Just one 
possible method for providing a VVPR. Rather than fall to implement 
VVPR requirements because some of these types of printers were badly 
designed and have performed poorly, the proper solution is to either 


11 



454 


improve the design of such printers or switch to a different technoiogy 
for producing the VVPR. 

It is instructive to compare the development of VVPAT printers to the evolution of seat belts in 
cars. Automobile vendors initially fought the requirement for seat belts: “they won’t be effective, 
they will cost too much, most people won’t use them,” etc. The first generation of seat belts were 
not so effective, not comfortable to wear, and most people didn’t use them. However, the public and 
the government rejected arguments that requirements for seat belts were a bad idea, or that the push 
for seat belts should be abandoned because of poor initial implementation. Requirements expanded, 
and vendors produced more effective and more comfortable seat belts. Information campaigns 
target those who forget to buckle up. 

VVPATA^VPR requirements are the seat belts for already-deployed voting systems, a necessary 
protection to ensure those systems are secure, accurate, reliable, and auditable. Some vendors have 
Iteen resistant to put significant effort into this technology, and some first generation WPAT 
systems may not be well-designed, reliable, or user friendly. It is no surprise that some election 
officials may find such systems difficult to deploy or that some voters may not verify the printouts 
from VVPAT printers.^^ Improved standards and public pressure will compel vendors to do a better 
job of implementation. And just as information that seat belts save lives caused many more drivers 
to actually use them, improved education about the crucial nature of the independent paper record 
will increase the public’s scrutiny. 


RECOMMEND A TtONS 

1. In order to address extremely serious voting system security vulnerabilities, a voter-verifiable 
paper record must be produced by all voting systems to enable voters to verify that their votes 
have been recorded properly. 

2. Mandatory manual audits of the voter-verifiable paper records from a sample of precincts 
selected at random must be used to check the electronic tallies produced by voting systems. 
’Without such audits, the VVPRs alone provide insufficient benefit. 

3. Jurisdictions using DRE voting systems must implement a reliable means of providing VVPR, 
either by attaching reliable VVPAT printers to their DREs or by phasing out their DRE systems 
and converting to precinct-count optical scan systems (as Michigan did) augmented with 
accessible electronic ballot marking devices to ensure accessibility. 

4. Any DRE+ VVPAT system must have safety measures to maintain the consistency of the paper 
and electronic records, such as refusing to accept more electronic votes when the printer is not 
functioning properly. 

5. In order to be certified for use, VVPAT printers must be highly reliable when set up and 
administered by average poll workers with average training 


12 



455 


Submitted Testimony for The Hearing of The Committee on House Administration 
Warren Stewart, Policy Director, VoteTrustUSA 


September 1 8, 2006 

VoteTrustUSA is a nonpartisan national network serving state and local election integrity 
organizations working to promote transparent, fair, observable, and audited elections. We 
advocate improved Federal and State standards for election processes and voting systems, 
improved testing and certification procedures for voting equipment, accurate and more 
complete reporting of election data, and a more widespread understanding of concerns 
about the accuracy, security, and reliability of all electronic voting systems. We advocate 
significant routine manual audits of voter-verified paper records of the ballots to check 
the operation of the electronic equipment. We support improved procedures for state and 
local election administration and poll worker training. We support the development and 
employment of voting systems that provide all voters both independent access to vote 
casting and confidence in the accuracy of vote counting. 

We oppose the use of voting systems that do not provide an individual, permanent, voter 
verified paper record of each vote suitable for a meaningful hand-counted audit or 
recount. We oppose the involvement of voting machine vendors in the administration of 
elections, and we oppose any form of secrecy in the process of vote counting. 

VoteTrustUSA applauds the Committee on House Administration for holding a hearing 
to address the issue of electronic voting security and verification and the decision to 
include a broad range of opinion on this critical subject. 

In his opening statement Chairman Ehlers quoted H.L. Mencken, who wrote, “for every 
complex problem there is a solution that is clear, simple, and wrong.” Without 
questioning the wisdom of Mencken’s axiom, it could just as easily be observed that for 
every complex problem there is a solution that is opaque, complicated, and wrong. 

As Prof. Simons noted in her testimony, a paper ballot optical scan voting system like 
that used in Chairman Ehlers’ district, in Mr. Cutmingham’s county in Ohio, by a 
majority of jurisdictions across the country, and in almost every county for absentee 
voting, is the optimal currently available voting system. Optically scanned paper ballots, 
marked by the voter, are inherently voter verified, provide voters with notification of 
over- or undervotes, allow for efficient initial counts, but have the overwhelming 
advantage of providing the opportunity for humanly observable hand recounts and audits. 
Accessible optical scan ballots can be produced using tactile ballots or electronic ballot 
marking systems. Paper ballot optical scan systems have also proven to be significantly 
less expensive for jurisdiction to implement and maintain. 

Voter Verified Paper Audit Trails, understood as printers attached to direct recording 
electronic voting machines, are a worthy attempt to address a fundamental flaw in those 



456 


machines: the fact that DREs do not provide an independent means of verification in the 
form of a contemporaneous record verified by the voter. As long as this fundamental 
shortcoming of DREs is left unaddressed, these machines will continue to meet with 
increasing resistance from the primary stakeholders in elections - voters. 

The VVP AT printers currently produced by the leading vendors are inadequate and 
disappointing. That voting system standards have been adopted that have allowed such 
printers to be certified and implemented is also disappointing and should be corrected. 
Just as many of the witnesses argued that severe security vulnerabilities in currently 
available DRE voting systems should not lead to the abandonment of electronic voting 
entirely, so too, should clearly the flawed VVP AT printer attachments currently available 
lead to the abandonment of VVP AT printers. Rather, VVP AT printers should be 
rigorously tested to meet stringent reliability and usability before being entrusted to the 
critical function of ensuring the accuracy of vote tallies, just as the DREs themselves 
must be rigorously tested to meet stringent standards. 

The increasing nationwide call for paper ballots should not be misinterpreted as a 
reactionary call for a return to punch cards as references to ‘hanging chads’ might 
suggest. It is also inaccurate to make the claim as one of the witnesses did that legislation 
that would require voting systems to produce or require the use of a voter verified paper 
record “would restore us to the year 1 890, when anyone who wanted to tamper with an 
election needed to do no more than manipulate pieces of paper.” 

The witness also claimed that Rep. Holt’s bill “the “Voter Confidence and Increased 
Accessibility Act” (HR 550) would “outlaw an entire category of voting machine with 
which we have a quarter-century of experience”. As Mr. Holt pointed out HR 550 does 
not prohibit the use of DREs and it expressly allows the use of paper ballot optical scan 
voting systems - neither of which were available in 1890. Ignoring the numerous 
improvements in the administration of elections and the enhanced security procedures 
implemented by legislators and election officials across the country since the 19th 
century, it is disingenuous at best to make the claim that requiring an independent means 
of verifying the accuracy of votes counted by proprietary software, which has been 
demonstrated repeatedly to be prone to error, vulnerable to malicious attack, and 
inherently unobservable would return us to the 1890s. 

While HR 550 was not the express subject of the Committee hearing, this bill, which has 
been co-sponsored by a majority of the members of the House, was never far from the 
surface and was directly attacked by one of the witnesses. Mr. Shamos claimed in his 
testimony that HR 550 was based on three major assumptions, all of which were false. 
First, he argued that HR 550 "assumes that paper records are more secure than electronic 
ones, a proposition that has repeatedly been shown to be wrong throughout history." He 
later explained that his claim derived from the bill’s provision that in the case of 
discrepancies between manual counts of the voter verified paper record and electronic 
tallies the totals derived from the hand count shall be considered the “true and correct 
record of the voter’s vote”. Shamos claimed that HR 550 assumes that paper records are 
more secure than electronic ones and therefore “irrebuttably (sic) presumed to be 



457 


correct”. He went on to discuss the ESI report, which found that many of the voter 
verified paper records were obviously flawed or nonexistent. As VoteTrustUSA has 
discussed earlier (see Appendix 1, “HR 550 and The Superiority of Paper Records”), HR 
550 merely places the burden of proof on the party contending that the electronic totals 
were accurate. In the case of Cuyahoga County it would be quite easy to demonstrate that 
the paper records were inaccurate. The question, in the case of Cuyahoga, would be 
which of the irreconcilable electronic totals was accurate? The language of HR 550 could 
easily be clarified in mark-up if such clarification was even necessary legally. 

Mr. Shamos’ second “false assumptions” of HR 550 - that paperless touchscreens are 
auditable was not substantiated. If he was referring to the redundant memory provided by 
most DRE systems, his claim is meaningless, since not only did the various “redundant” 
memories examined in the ESI study conflict with each other, but the same error or attack 
that corrupted one memory would corrupt any redundant memory. The objective of a 
voter verified paper record is precisely that the voter can verify it and that it is 
independent of the electronic tabulation of the votes. While it may be theoretically 
possible to reconstruct the action of voters through the flash memory on some systems, 
this has never been attempted, presents privacy issues, is impractical, and has met with 
formidable resistance from election officials and vendors when it has been suggested. 

The third “false assumption” was that “paper trails actually solve the problems exhibited 
by DRE machines”. It is reassuring that Mr. Shamos has not been reluctant to admit that 
problems with DREs exist, but it must be pointed out that no one, including Mr. Holt, has 
asserted that “paper trails” would solve the problems exhibited by DRE machines. “Paper 
trails” especially as manifested in the extraordinarily flawed continuous roll, thermal 
paper printers that have been developed by the major voting machine manufacturers and 
certified by vendor-funded testing labs, are inadequate and emblematic of the 
extraordinarily poor quality of the products that have been purchased to count our votes. 

Later Shamos baldly claimed, “The effect of HR 550 would be to ban electronic voting 
entirely in Federal elections.” However, more than half the states already require have 
provisions very similar to HR 550, that require that voting systems produce or require the 
use of voter-verified paper records and their machines are not outlawed and will not be 
outlawed. What’s more, almost half the polling places in America will use paper ballot 
systems in November and every absentee ballot will be a paper ballot, as both Dr. Simons 
and Rep. holt pointed out - paper ballots marked by voters are inherently voter verified. 

Mr. Shamos also said that HR 550 “sets forth conditions that are not met by any DRE 
system currently on the market in the United States.” However all the major vendors have 
developed voter verified paper audit trail printers to meet the demand of state laws that 
already exist in a majority of states. Mr. Shamos admitted as much in his next paragraph 
when he referred the “DRE paper trail systems that are currently on the market”. As Mr. 
Holt pointed out later in the hearing, his legislation wouldn’t outlaw any particular type 
of machines, only unverifiable ones. 



458 


Later Mr. Shamos made the unsubstantiated assertion that “the failure rate of paper trail 
DREs is double that of DREs without paper trails.” It is unclear what methodology or 
source materials he was using as a basis for this statement, but in any case he is 
comparing apples and binary files. If a printer jams or runs out of ink, the problem and its 
solution are immediately apparent. There is simply no possible way of knowing how 
many times DREs have failed to accurately count votes. 

Adding a specifically Pennsylvanian argument, Mr. Shamos claimed that HR 550 would 
violate statutory provisions in more than half the states that require a secret ballot. He 
claimed that the DRE paper trail systems currently on the market “either enables voters to 
sell their votes, or allows the government and the public to discover precisely how each 
voter in a jurisdiction has voted.” It is unclear how a voter verified paper record retained 
in the voting booth and preserved according to the secure chain of custody procedures in 
effect in each state for paper ballots in general, as HR 550 requires, would allow a voter 
to sell his or her vote. I suppose a voter could take a camera with them and photograph 
the paper record, but then they could photograph the screen of the DRE as well. In the 
small number of jurisdictions in which voters sign in at the polling place rather than by 
signing an alphabetical voter roll, the currently available VVPAT printers that retain the 
paper records sequentially would allow someone with access to both the sign-in list and 
the VVPAT to determine how each voter voted - a legitimate concern. However, this 
could easily be overcome by requiring that the printers cut each paper record like every 
ATM machine does or by having voters sign alphabetically arranged voter lists. 

Shamos next assured the committee that he is in favor of voter verification. He notes that 
“while [the voter verified paper record] shows the voter that her choices were properly 
understood and recorded by the machine, it offers no assurance whatsoever that her ballot 
was counted, that it will ever be counted, or that it will even be present when a recount is 
conducted. Once the polls have closed, the voter not only has no recourse or remedy, but 
is powerless to even determine whether her vote is part of the final tally or to object if she 
believes it isn’t.” Of course this is true with or without paper and its much worse without 
a paper record. In the case of a DRE with no independent means of verification, there is 
absolutely no reason that any voter should have any confidence whatsoever that her vote 
is being counted correctly and absolutely no recourse whatsoever to object if it isn’t. 

In conclusion, VoteTrustUSA strongly recommends the use of paper based optical scan 
voting systems, with ballot marking devices to provide disabled voters with the 
opportunity to vote privately and independently. If direct recording electronic voting 
systems are to be used, they should provide an independent means of verification in the 
form of a contemporaneous permanent record that can be verified by the voter in the 
voting booth before the vote is cast electronically and that is preserved according to 
established procedures and regulations for paper ballots in general. Voters should not be 
required to trust voting systems that do not provide a transparent, observable, and 
independent means of counting their votes. 



459 


Appendix 

HR 550 and the Superiority of Voter Verified Paper Records 
By Warren Stewart, VoteTrustUSA 
April 14, 2006 

Andrew Gumbel’s recent book “Steal This Vote” provides a detailed and discouraging 
survey of how the integrity of election results have been compromised and manipulated 
since the beginnings of the grand experiment in representative democracy was launched 
after the American Revolution. It hasn’t mattered what voting system was being used - 
paper ballots, lever machines, punch cards, or touchscreens - the political advantage to be 
gained from criminally altering election results will always pose a temptation for fraud. 

Given the rich history of election fraud accomplished through the manipulation of paper 
ballots, the provision calling for the superiority of voter verified paper records in the case 
of discrepancies found in legislation like HR 550 has been called into question. What if 
someone managed to tamper with the voter verified paper records, whether they are 
optically scanned paper ballots, or simultaneous records generated by printer attached to 
a DRE? In the event of fraud or manipulation of the paper record, would HR 550 require 
that corrupted totals derived from paper records would nevertheless take precedence over 
electronic tabulation? 

A reading of the language of HR 550 relieves these concerns. 

Section 2(a)(2)(B)(iii) of HR 550 reads “in the event of any inconsistencies or 
irregularities between any electronic records and the individual permanent paper records, 
the individual permanent paper records shall be the true and correct record of the votes 
cast.” Section 2(a)(B)(i) of the same bill requires that the voter verified paper records be 
preserved “in a manner which is consistent with the manner employed by the jurisdiction 
for preserving paper ballots in general.” Thus all of a state’s procedures and requirements 
for securing the chain of custody of those records would apply. 

In the event of a discrepancy, one party will seek to defend the electronic tally, and the 
other will seek to defend the paper tally. Under the language in the bill, the burden of 
proof will be on the party seeking to defend the electronic tally to prove that the paper 
tally has been compromised in order to negate the bill's presumption of the preemptive 
validity of the paper records over the electronic tallies. That can be demonstrated vastly 
more readily (by way of witness testimony pertaining to breaches on the chain of custody 
of the paper records, a simple count of the available records as compared to the number 
of voters who signed in, and so on) than the reverse as there is no evidence as to the 
accuracy or inaccuracy of the electronic tally other than the voter verified paper records). 

Because the voter verified paper records are the only ones verified by the voters, rather 
than by the machines, and because those records are the only evidence available by which 
to confirm or challenge the accuracy of the electronic tally, they must be considered the 
vote of record. This assumes, of course, that it is the actual voter verified records that are 



460 


being used in the comparison. The party seeking to defend the electronic tally need only 
prove that it is not the actual voter verified paper records that are being used (by 
presenting such evidence as is noted above, e.g, that the ballot box was switched, or 
stuffed, etc.) in order to render void the bill's special blessing given to the actual voter 
verified paper records. 

That is how the language reads and how it would have to be interpreted by any 
reasonable judge, since the entire purpose of the bill is to create an independent audit 
record in order to check the machine count. All that said, it would be a simple matter in 
the process of a mark-up to request the addition of a clarifying sentence that said 
something like "in the event of a discrepancy the voter verified paper records shall be 
considered the vote of record and the burden of proof shall be on the party seeking to 
defend the electronic tally to demonstrate by compelling evidence that the set of voter 
verified paper records being used in the audit or recount have been tampered with and 
upon such proof, the contest shall be subject to a re-vote. 



OFFICE OF THE STATE'S ATTORNEY 

Cook County, Illinois 


RICHARD A. DEVINE Public Interest Bureau 

STATE'S ATTORNEY 69 W. Washington - Suite 930 

Chicago, 11 60602 
312-603-8600 


To: Interested Persons 

From: Kelly Pierce, Disability Specialist 

Date; October 4, 2006 

I have become aware of widespread citation of my March 2005 accessibility review of four voting machines that were being 
considered for purchase by Cook County and the City of Chicago Board of Election Commissioners. Since this report was 
written, meaningful and substantial accessibility improvements have occurred. Following the public demonstration of the four 
voting machines on March 15, 2005, Cook County Clerk David Orr announced on May 26, 2005 that he had chosen Sequoia 
Voting Systems as the new election system for suburban Cook County. The next week, the Chicago Board of Elections 
followed with a similar announcement. The first electronic voting machine to be used would be the AVC Edge. On June 13, 
2005, Sequoia Voting Systems then President and CEO Tracey Graham met with disability leaders and the Cook County Clerk 
and described the company’s substantial commitment to improving the accessibility of the AVC Edge, An audio recording of a 
voting experience was produced that day following this meeting. The recording and end user experiences with the Sequoia 
AVC Edge were used to produce a June 30, 2005 report on the audio interface of the machine. Since completion of the report, 
Sequoia representatives spent more than 100 hours ineidiancing and improving the audio script used by the AVC Edge, states 
a December 2005 memorandum by Sequoia President Jack Blaine. More than 20 hours were spent with city and county 
officials and leaders from the disability community reviewing the effectiveness of each audio prompt on the machine. Further, 
Sequoia redesigned its control box for the audio interface. The new control unit included easy to locate volume control buttons 
and a switch that increased or decreased the rate of speech in the audio recording. The new control unit also enabled those who 
could not use their hands to vote to plug in a sip and puff device so the ballot could be voted completely from someone’s 
assistive technology. 

Additionally, Sequoia committed to numerous other changes for the November 2006 election. In September 2006, Sequoia 
representatives met with the Cook County Clerk, the Executive Director of the Chicago Board of Election Commissioners and 
leaders in the disability community to demonstrate the new and enhanced accessibility features of the Sequoia Edge 11 Plus 
voting machine, which will be used in the November 2006 election. The Sequoia Edge II Plus replaces the AVC Edge used in 
the March primary election. The audio interface now includes navigational pron^ts on the contest menu and an interactive 
ballot review mode so blind and disabled voters can exit the review mode at a particular contest and change their selection as 
sighted voters can. The now accessible ballot review will largely resolve the problems that were described in my report by a 
Santa Clara County, California blind voter. The experiences of this voter, which were quoted in the report, were shared 
recently in testimony before a congressional committee. The company may refine the accessibility of its ballot review, further 
increasing the accessibility and usability of this newly accessible function. The re-designed touch screen on the Edge II Plus 
has legs that can be adjusted to different levels for various wheelchair heighte. For the first time, people who have low vision 
will be able to view the ballot using a zoom function which magnifies the type up to 400 percent its normal size as well as view 
the ballot at a high color contrast. Sequoia has re-designed its audio control unit yet again. The buttons are concave and 
recessed so those with head or mouth sticks and pointing devices can operate the machine independently. There are now also 
separate large plug-in “buddy buttons” for people with limited dexterity to use. More substantial enhancements to the 
accessibility of the Sequoia Edge II Plus are planned in time for the municipal elections in spring 2007. 

At that time, most, if not all, of the accessibility problems identified in March 2006 will be dramatically reduced if not 
eliminated altogether. The flexible nature of information technology as deployed as electronic voting machines made the 
accessibility changes and enhancements possible. As has been stated in multiple reports by the National Council on Disability, 
a federal agency, when representatives of industry, government, and the disability community work together cooperatively as 
partners in using technology to solve accessibility problems, the inconceivable becomes possible enabling a new level of 
independence never before achieved. 



462 


The Only Independent Voting and 
Vote-Verification Method for 
People who are Deaf-Blind 

How are folks who are deaf-blind supposed to be able to vote privately and independently? 

To the best of our knowledge, the Vote-PAD is currently the only voting system that truly 
gives completely independent and private access to voting for voters who are deaf-blind. 

The Vote-PAD is a very simple assistive device that lets you mark and verify your votes on 
a standard paper ballot and to do it privately, by yourself. 

The heart of the Vote-PAD is a plastic ballot sleeve, into which a paper ballot is slid. There 
are holes in the plastic sleeve that line up with every position you might want to mark on 
the ballot, and there are large tactile identifying bumps next to each of these marking holes. 
A separate Braille guide booklet explains which holes are for which candidate or choice on 
the ballot. Hearing folks can use an audio guide tape, instead of Braille, if they prefer. You 
use a standard pencil or pen to mark in the holes for each of your choices. 

When you are done marking your votes, you can then verify your marked choices with the 
verification wand. This wand works somewhat like a vibrating light probe. You just place 
the tip into the hole you think you marked, and press the button. It will vibrate if it senses a 
good pencil or pen mark. 

For voters who want to write in a name of an unlisted candidate, the tactile ballot sleeve 
has cut out windows for the write-in boxes. For voters who can't do hand writing in these 
write-in windows, there are separate tactile write-in grid sheets. These tactile write-in 
sheets have columns of alphabetized raised-line boxes that can be marked with a pencil or 
pen. This lets you spell out your write-in candidate's name, by just moving across the 
columns and marking a letter box in each of the columns. 

The Vote-PAD binder that holds the one or more tactile ballot sleeves has front and back 
covers to keep your ballot hidden until you are ready to slide your paper ballots out of the 
sleeves and into the ballot box, privately and independently. 

Because the Vote-PAD is so simple, compact, and inexpensive, you could even use it from 
home, to vote absentee, without having to go to a polling place. What other voting system 
would allow folks with disabilities to privately and independently vote absentee, from their 
own home? 

Would it be fair to deny deaf-blind voters the use of an available system that can let them 
vote privately and independently? Obviously not! It is important that deaf-blind folks and 
others concerned about voting rights make sure that their election officials know about the 
availability and need for accessible voting assistive devices like the Vote-PAD. 

Ellen Theisen 
President, Vote-PAD, Inc. 
www.Vote-PAD.us 



660 jefferson Ave. 
Port Ludlow, WA 98365 



463 


AFFIDAVIT OF NOEL RUNYAN 
Noel Runyan, being duly sworn and upon his oath, states: 

^llllllllllllllllllll^ I give to 

assist the court in determining whether the Sequoia AVC Edge Direct Recording 
Electronic (“DRE”) touchscreen voting machine meets the disability across 
requirements of the Help America Vote Act of 2002 (HAVA). In my opinion, as an expert 
In the field of disability access and as a disabled (blind) person, the AVC Edge DRE 
fells far short of meeting those requirements. I explain this opinion in more detail below. 

2. The basis for my opinion is my over thirty-six years of experience with 
microprocessors, digital logic, analog circuits, speech output, human interfece design, 
and development of access technology for persons with disabilities, including extensive 
development and application of speech and braille interface technologies. My opinion is 
also based on my own experience, as a blind voter, voting in actual elections on the 
Sequoia AVC Edge DRE voting machine. 

3. I received a BS in Electrical Engineering and Computer Science from the 
University of New Mexico in May 1973. 1 was named the Eta Kappa Nu Most 
Outstanding Electrical Engineering Student in the United States for 1972. In 1971, 1 
received the Engineering Open House Sweepstakes Award for my project, "Digital 
Voltmeter with Braille Output'. Also in 1971, 1 was awarded 1st place Local, 3rd place 
Regional prizes in the Institute of Electrical and Electronic Engineers (IEEE) Paper 
Contest, "Aids and Devices for the Visually Handicapped Engineer”, 

4. While a student, in 1968-1969, 1 worked atthe Air Force Weapons Lab, 



1 




464 


Kirtland AFB on programs for simulating att»nic bomb blasts. In 1970, 1 worked on 
Mapsis, a tactile graphics program, at the University of Kansas. 

5. From 1973 through 1978, 1 was employed by IBM. My projects included 
design and testing of magnetic stripe card security systems tesdng the security for 
ATMs and for Bay Area Rapid Transit system (BART) ticket machines, nonvisual 
display technology research, systems architecture, eiectronic logic design, and human 
factors engineering. At IBM, I developed the first text to speech program ever used on 
microprocessors. I u^ speech synthesizers and microprocessors to develop 
advanced prototype devices for the visually impaired. I co-invented the first talking touch 
screen/tabiet system. I received an IBM Special Contribution Award in 1978. 

6. From 1978 through 1983, 1 was employed by Telesensory Systems. My 
projects included development of a serial interface, and other portions of the original 
VersaBraille, the first braille laptop computer. I developed and patented a vibrating dots 
Braille display system. I was In charge of the Voice Output Communications Aid (VOCA) 
research and development project and the TeleBraille deaf blind communicator 
research and development project. 

7. In 1983, 1 founded a company, now known as Personal Data Systems, to 
develop communications systems for persons with visual impairments. I headed up the 
hardware and software design and the development of the Audapter Speech 
synthesizer and the Talking Tablet System. I authored ttie EasyScan, BuckScan and 
PicTac scanning software programs. I helped design accessible touch screen 
information kiosks. Recently, I have been involved in the development of talking medical 


2 



465 


devices and accessible talking internet radio systems. 

8. I have extensive experience in integrating computer systems with speech, 
braille, and large print output. I also have experience with the array of adaptive 
technologies for persons with manual dexterity handicaps, gained while I was the 
principal investigator on a National Science Foundation funded research project for 
developing voice output communications aids (VOCAs) for folks with motor 
impaimrienfo. Many people with problems like Cerebral Palsy cannot speak with their 
own voice and cannot use a standard keyboard to type messages. As part of this 
project, I had to become familiar with alternative data input and control systems for 
people with various keyboard impairments. These alternatives included head mounted 
laser pointers, foot switch, eye gaze, eye blink, and puff-and-sip switch scanned input 
systems (in which the user blows or sucks air to control a communications device) and 
other systems. In addition, I worked with Telesensory Systems' altemative lap tray 
communications product called the Autocom, an electronic lap tray communications 
system that used a magnetic selector pudc, instead of a keyboard. 

9. The New Mexico Election Code requires that all voting systems "shall 
meet federal election standards” to be approved for use in New Mexico. NMSA 1-9- 
2(A). The current iteration of the federal standards appears, in part, in the Help America 
Vote Act ("HAVA”), which requires that all voting systems used in elections for federal 
office anywhere in the United states shall ‘be accessible for individuals with disabilities, 
including nonvisual accessibility for the blind and visually impaired, in a manner that 
provides the same opportunity for access and participation (including privacy and 


3 



466 


independence) as for other voters.” HAVA § 301(a)(3)(A), 42 U.S.C. § 15481(a)(3)(A). 
According to the federal Election Assistance Commission (EAC), established by HAVA, 
“[cjompliance with Section 301(a)(3) requires that the voting system be accessible to 
persons with disabilities as defined by the Americans with Disabilities Act, including 
physical, visual, and cognitive disabilities, such that the disabled individual can privately 
and independently receive instruction, make selections, and cast a ballot.” EAC 
Advisory 2005-004, issued July 20, 2005. This means, among other things, that states 
acquire and make available to disabled persons voting machines that wilt accommcxlate 
the basic range of disabilities, including such as Cerebral Palsy, aphasia, low vision, 
blind, deaf blind, and home/institution bound. The Sequoia AVC Edge voting system 
accommodates none of these disabilities adequately. 

10. lam thoroughly familiar with the disability access capabilities of the 

Sequoia AVC Edge DRE voting machine, having reviewed the manufacturer's 
specifications, attended vendor demonstrations, and having cast my vote on the 
Sequoia voting machines in several actual elections, in my opinion, the Sequoia AVC 
Edge ORE does not satisfy the disability access requirements of HAVA, as incorporated 
into New Mexico law. This opinion is based on (1) the Edge’s complete lack of any 
accommodation for persons with severe physical dexterity impairments who are unable 
to use touchscreens or keypads; (2) the gross inadequacy of the Edge's audio assist 
feaftire for persons who are blind or low vision; and (3) the Edge's failure to 
accommodate elderly voters who have developed severe visual impairments vinth age 
but are unfamiliar with and unable to cope vwth audio-only access technology 


4 



467 


they have had normal vision most of their lives. In short, it is my opinion that a large 
portion of disabled citizens wrtio attempt to cast their votes on Sequoia AVC Edge voting 
machines will be unable to do so. Below, I wilt explain each of the deficiencies identified 
above. 

11. As stated above, in order for a voting system to comport with federal 
requiremenfe, a voting machine’s adaptive technology must acconmodate not only 
blind and low vision persons but also persons with physical disabilities, su<^ as 
dexterity disabilities. Currently available adaptive technologies for persons with various 
keyboard impairments and complete inability to use hand controls, which are readily 
adaptable to voting machines, are head mounted laser pointers, foot switch, eye gaze, 
eye blink, puff-and-sip switch scanned input systems and electronic lap tray systems. 
The only practical way to connect these adaptive devices to a computer or other . 
equipment the user wishes to control and operate, such as a voting machine, is through 
an electronic user interface connector. The Sequoia AVC Edge DRE voting machine 
has no support for these standard 2-switch systems or other user interfece devices. 
Therefore, voters whose dexterity disability requires them to use head mounted laser 
pointers, foot switches, eye gaze, eye blink, puff-and-sip switeh scanned input systems 
or electronic lap trays are not afforded *the same opportunity for access and 
participation (including privacy and independence) as for other voters* on the Sequoia 
AVC Edge DRE, nor can a voter with such a physical disability 'privately and 
independently receive instruction, make selections, and cast a ballot.” 

12. The Sequoia Edge, from my direct experience, has no more than a poorly 


5 



468 


functioning and ineffective audio interface and can only achieve magnification through 
external lenses. In my opinion, this fells fer short of meeting HAVA standards. First, for 
voters who are low vision but not blind, the Edge does not provide fee combination of 
touchscreen display modification capabilities necessary to accommodate the range of 
vision impairments. Vision impairments vary considerably from person to person. An 
adequate display modification system permits fee user to change contrast, foreground 
and background colors, fonte and font size, wife options for multiple font sizes or for 
zoom magnification. Enhanced display technologies for low vision users have been 
available for over 16 years and it should be easy to add this capability to computerized 
voting machines. As other DRE manufacturers have managed it, there appears to be no 
good reason that the manufacturer of these voting machines could not have easily 
adapted the Edge to provide accessible display technology. 

1 3. For voters who are blind, voting machines must have an audio access 

feature that permits the blind voter to receive instructions and ballot choices and to 
make selections and cast their ballot nonvisually. The audio assist feature on the Edge 
is very poorly designed, complicated, and unacceptably tedious. My own experience 
voting on fee Sequoia AVC Edge DRE with the audio assist feature in fee November 
2004 election illustrates the problems. After signing in, and getting my voter smart card, 

I had to wait 8 minutes for officials to manage to reboot the audio voting machine. The 
polling officers had been using it for touch screen voting, as there was a very long line 
and just 5 voting machines for our combined 2-precinct polling place. I had my braille 
notes in a hard-back notebook, so I could read my notes wife the notebook on my lap. 


6 



469 


The volume control on the front of the Edge key pad was not working w«ll and resulted 
In scratchy and intermittent sound. By the time I got the volume set to where I could 
understand it, the introduction message had already finish«t the English instructions 
and v\ras off into other languages. I was not sure what I should do, so I finally gave up 
and pressed the select button. This eventually got me to the language menu, where I 
was able to select English and get started with my ballot. I must emphasize that, in my 
opinion, my ability to navigate this process at all was due to my familiarity with 
computers and computer technology. I doubt toat most blind voters would have been 
able to navigate it at all. 

14. The first major problem I had was that the ballot on the Edge voting 
machine was not in the same order as the printed sample ballot. When my wife pointed 
this out to the chief poll worker, they were surprised to see the difference, and said 
maybe that would explain why they found that it was taking voters longer than expected 
to vote. Because my notes were done in the order of the sample ballot, I had to do a lot 
of hopping around in my notes and be very thorough and careful listening to the 
machine. In contrast to what we had been told, the list of candidate names was spoken 
in alphabetical order. 

1 5. It took me thirty minutes to work my way through the ballot and make my 
selections. After that, I had quite a bit of trouble getting into the review mode, to get a 
full list of all my setecttons. When I did, it went on and on, for 23 minutes, like a long 
uncontrolled drink from a fire hose. The revtew function read each item, and then, at the 
very end, said what my selection was for that item. It even threw in the details of what 


7 



470 


the fiscal impact would be, and took forever. This is completely backwards. It should 
announce the name of the item, then state my selection, and then read the test of the 
information for that item. Also, I should have the control to press the arrow key to move 
forward or badrward through the items, without having to listen to all ttie text about 
every item. When I did find that I had made a mistake in my selections, I had to wait 
until the end of the whole review process to correct it, insteexi of being able to stop, 
make the change, and then continue with the review where I left off. I did not want to 
abort the ballot verification review, to make a correction, and then have to start the 23 
minute review all over again. When I later attempted to change one of my selections 
from "no" to "yes", the machine would not let me just select “yes", until I had first gone to 
the "no" entry and deselected it. This was very awkward and confusing. Again, I doubt 
that many blind voters would be able to navigate this process. 

16. At one point, as I was nearing the end of the ballot, I was dumped back 
into the language selection menu. I was being very careful to not push the "help" button, 
so I don't know why this language menu popped up. For a scary minute. I was afraid I 
had Just lost my ballot and was having to start all over. I re-selected "English" and 
fortunately was returned to my previous location in the ballot. 

1 7. An additional frustration was that the volume on some of the messages 
was so much lower than the rest of the messages that I had to fiddle with turning up the 
volume, repeating the message, and then turning the volume back down before 
proceeding. The volume on all the messages should be nonnalized to make them the 
same. This is easy to do and should be done for all messages. 


8 



471 


1 8. From the time I signed in and got my voter smart card, it took 8 minutes to 
reboot the machine as an audio voting machine, 30 minutes to make my dioices, 23 
minutes to review and verify, and another 4 minutes to make a correction and reojrd my 
vote. Not counting the hour I had waited in line, it took me about 65 minutes to mark and 
record my ballot. It would have taken even longer if I had been tilling to wait, as 
prompted, until the end of each message to push the "selecT button. The message 
misled some folks because they say something like, "...at the end of this message, you 
can press the ...". This implies that you are supposed to wait until toe speech message 
finishes. 

19. As an expert in the design of audio access technology, it is my opinion 
that the Edge system was incompetently designed. Additionally, as one temiliar with the 
technology, I was far more likely than the average blind voter to bo able to figure out 
how the Edge audio assist feature worked and was structured, yet I had considerable 
difficulty that slowed the voting process. Many blind voters might be embarrassed to tie 
up a voting machine for over an hour, or not have sufficient patience, and therefore 
deckle not to vote toe entire ballot or not to fully review their selections before casting 
the ballot. Vltoat I have heard from other voters, even sighted voters, is that they have 
often caught ballot marking mistakes in the review process. It is clear from tois and from 
my own experience, that we really have to go through the review process in order to 
make sure that our ballots are accurate. The Sequoia review process is totally 
unacceptable and would cause most voters with disabilities to skip the review. 

20. When I was finally done voting, I took a portable radio out of my pocket 


9 



472 


and turned K on, with its earphone in my ear. The Sequoia Edge voting machine viras 
broadcasting a lot of radio noise on the AM band. This RF noise emission reprints a 
possible electronic eavesdropping threat to voting privacy. Also, I noted that none of the 
poll workers seemed to notice or ask what kind of electronic device I was using and for 
what purpose. From the standpoint of the security of the voting machines against 
electronic eavesdropping or hacking, the poll workers seemed to be too tax about letting 
people use cell phones, palmtops, or other electronic equipment in the polling place. 
There should have been, but were not, any announcements (audible or visible) warning 
voters against using cell phones, cameras, palmtops, or other electronic devices in the 
polling place. 

21 . There were at least two times when I wanted to ask for help from the poll 
workers. One was during the confusion I encountered from the difference between the 
printed sample ballot and the DRE ballot. The other time was near the end of my ballot 
marking, when I had a lot of trouble getting the review started and then was trying to 
find and change a mistake I found during the review. Unfortunately, the Sequoia Edge 
does not allow for simultaneous use of the audio assist feature and display on the 
touchscreen. Because the poll workers would not be able to look at a visual display on 
my system, and didn't have any way to join me in listening to the audio output of the 
machine, I assumed that I couldn't get much help from a poll worker (even though our 
head polling officer seemed very knowledgeable and helpful). 

22. Finally, the Sequoia Edge does not address the needs of elderly voters 
who have developed severe visual impainnents with age but are unfamiliar with and 


10 



473 


unable to operate audio-only access technolc^y because they have had normal viston 
most of their lives. This represents a large and growing porhon of the voting population. 
Such persons are so accustomed to using their eyesight that tiey have extreme 
difficulty in understanding and using audio-only access alternatives to touchscreens or 
other visible ballots. For these voters, neither a fully adjustable toucSiscreen display nor 
the audio assist alternative is sufficient. Rather, they require the simultaneous use of 
both accommodations in order to vote independently and privately. In this configuration, 
the user can receive some information and cues visually and other information and cues 
audibly, and through the combination be enabled to vote without assistance. The 
Sequoia Edge voting machine does not permit simultaneous use of the touchscreen 
display and the audio assist feature. For similar reasons, it is unreasonable to expect 
people \«ho may have no visual impairment but are motor impaired to use only the 
Edge's keypad and voice interface to operate the system. 

23. In summary, it is my opinion that the Sequoia AVC Edge voting system is 

disability accessible In name only and is not a voting system that meets HAVA disability 
accommodation requirements in any significant respect. 

I swear and attest under penalty of perjury under the laws of the State of New 
Mexico that the foregoing is true and correct. Executed this 19th day of December, 2005 
in Camp^il, Oa^mia. 

Noel Runyan 
(NOTARYJ 


11 



KAREN AHMSffiOTW » 

j KOTWPfweuc-cjtfop* 5 




474 


DISTRICT COURT, DENVER COUNTY, 

STATE OF COLORADO 


City and County Building 

1 437 Bannock Street 

Denver, Colorado 80204 


Plaintiffs: 

A COURT USE ONLY A 

MYRIAH SULLIVAN CONROY era/. 

Case Number: 06CV6072 

Div: 1 

Defendants: 

Ctrm: 1 

GINNETTE DENNIS et al. 


Attorneys for Plaintiffs: 

Paul F. Hultin (Ally. Reg. #0142) 

Andrew C.S. Efaw (Any. Reg. #29053) 

Michael T. Williams (Atty. Reg. #33172) 

Andrew H. Myers (Atty. Reg. #34288) 

Ramona L. Lampley (Atty. Reg. #37288) 

Wheeler Trigg Kennedy LLP 

1801 California Street, Suite 3600 

Denver, CO 80202 

Telephone: (303)244-1800 

Facsimile: (303)244-1879 

E-mail: hultin(gwtklaw.com; efaw@wlklaw.com; 
williams@wtklaw.com; myers@wtklaw.com; 
lampley@wtklaw.com 


DECLARATION OF NOEL HOWARD RUNYAN 


1, Noel Howard Runyan, hereby declare: 

QUALIFICATIONS AND SUMMARY OF OPINIONS 

1 . 1 reside at 638 Sobrato Lane, Campbell, California. 1 have been asked by counsel for 

Plaintiffs in this action to provide my opinion whether the Diebold Election Systems, Inc. 
(“Diebold”) AccuVote-TSx (“Diebold TSx”) Direct Recording Electronic (“DRE"), Sequoia Voting 
Systems, Inc. (“Sequoia”) AVC Edge 11 DRE (“Sequoia Edge ]]"), and Election Systems and 
Software, Inc. (“ES&S”) iVotronic Touch Screen DRE (“ES&S iVotronic") voting systems are 
accessible for individuals with disabilities, including nonvisual accessibility for the blind and 
visually impaired, in a manner that provides the same opportunity for access and participation 
(including privacy and independence) as for other voters. This Declaration also describes my 
personal knowledge and experience with DRE voting Systems as a voter who is blind. 


EXHIBIT 

11 


% 







475 


2. It is my opinion that the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic voting 
systems are not accessible for individuals with disabilities for several reasons, including. 

a- Diebold TSx’s, Sequoia Edge ll's, and ES&S iVotronic's complete lack of a 
dual-switch capability without which the systems are inaccessible to voters with severe 
manual dexterity disabilities who are unable to use touch screens or keypads; 

b. The inadequacy of the Diebold TSx, Sequoia Edge II, and ES&S iVotronic 
audio access features for persons who are blind, low vision, dyslexic, cognitively impaired, 
or severely motor impaired; 

c. The three systems' lack of simultaneous and synchronized audio and visual 
outputs without which the systems are inaccessible for many voters with visual impairments 
(e.g., the failure of the Diebold TSx, Sequoia Edge II, and ES&S iVotronic DREs to 
accommodate elderly voters who have developed severe visual impairments with age but are 
unfamiliar with, and unable to cope with, audio-only access technology because they have 
had normal vision most of their lives); 

d. The verified voter paper audit trails (“VVPATs”) on the three systems are 
inaccessible to many voters with visual or motor impairments, so that persons with 
disabilities cannot personally verify the printout of VVPAT printers on the Diebold TSx, 
Sequoia Edge II, and ES&S iVotronic systems; 

e. All three systems’ blatant lack of adequate privacy curtains to prevent 
eavesdroppers from reading the text of ballots on the visual displays of the DRE systems; 

f. The three systems' lack of technology that allows voters with disabilities to 
select for themselves different modes or features to provide accessibility without intervention 
from poll workers; and 

g. The Diebold TSx's, Sequoia Edge ll’s, and ES&S iVotronic’s confusing 
menu selection systems that are difficult for people with cognitive disabilities to use 
effectively. 

3. The above failures and omissions could have been corrected using existing adaptive 
or other available technologies. 

4. My opinions are based on more than 36 years of personal and professional experience 
with microprocessors, digital logic, analog circuits, speech output, human interface .design, and 
development of access technology for persons with disabilities, including extensive development and 
application of speech, Braille, and large print interface technologies. A copy of my curriculum vitae 
is attached (Plaintiffs’ Appendix Exhibit 36). My opinions are also based on my professional 
experience with hands-on examination, testing, dernonstration, and use of various voting systems, 
including the Sequoia Edge and Edge II, ES&S AutoMark, VotePad, and Diebold TSx voting 
systems, and two separate hands-on trials of the ES&S iVotronic voting system, as well as my 
personal experiences voting on the Sequoia Edge II machines in several real elections. My opinions 


2 



476 


are also based on my review of current literature on voting system accessibility, technical 
specifications and publications of DRE system manufacturers, and other information gathered over 
the years at conferences, seminars, and workshops on accessibility issues. I have submitted expert 
witness declarations in other cases in Arizona, California, New Jersey, New Mexico, and 
Pennsylvania concerning access by individuals with disabilities to DRE voting machines. 1 testified 
as an expert witness at a preliminary injunction hearing in the Pennsylvania action. 

5. 1 received a BS in Electrical Engineering and Computer Science from the University 
of New Mexico in May 1973. I was named the Eta Kappa Nu Most Outstanding Electrical 
Engineering Student in the United States for 1972. In 1971, 1 received the Engineering Open House 
Sweepstakes Award for my project, “Digital Voltmeter with Braille Output.” Also in 1971 , 1 was 
awarded 1 st place Local, 3rd place Regional prizes in the Institute of Electrical and Electronic 
Engineers (IEEE) Paper Contest, "Aids and Devices for the Visually Handicapped Engineer.” 

6. While a student, in 1968-1969, 1 worked at the Air Force Weapons Lab, Kirtland 
AFB on programs for simulating atomic bomb blasts. In 1970, 1 worked on Mapsis, a tactile 
graphics program, at the University of Kansas. 

7. From 1973 through 1978, 1 was employed by IBM. My projects included design and 
testing of magnetic stripe card security systems, testing the security for ATMs and for Bay Area 
Rapid Transit system (BART) ticket machines, nonvisual display technology research, systems 
architecture, electronic logic design, and human factors engineering. At IBM, I developed the first 
text to speech program ever used on microprocessors. 1 used speech synthesizers and 
microprocessors to develop advanced prototype devices for the visually impaired. I co-invenled the 
first talking touch screen/tablet system. 1 received an IBM Special Contribution Award in 1978. 

8. From 1 978 through .1983,1 was employed by T elesensory Systems. My projects 
there included development of a serial interface, and other portions of the original VersaBraille, the 
first Braille laptop computer. I developed and patented a vibrating dots Braille display system. 1 
was in charge of the Voice Output Communications Aid (VOCA) research and development projects 
and the TeleBraille deaf blind communicator research and development projects. 

9. In 1 983, 1 founded a company, now known as Personal Data Systems, to develop 
communications systems for persons with visual impairments. 1 headed up the hardware and 
software design and the development of the Audapter Speech synthesizer and the Talking Tablet 
System. I authored the EasyScan, BuckScan and PicTac scanning software programs. 1 helped 
design accessible touch screen information kiosks. Recently, I have been involved in the 
development of talking medical devices and accessible talking Internet radio systems. 

1 0. I have extensive experience integrating over 500 computer systems with speech, 
Braille, and large-print output. I also have experience with the array of adaptive technologies for 
persons with manual dexterity handicaps, gained while I was the principal investigator on a National 
Science Foundation funded research project for developing VOCAs for persons with motor 
impairments. Many people with problems like Cerebral Palsy cannot speak with their own voice and 
cannot use a standard keyboard to type messages. As part of this project, 1 had to become familiar 


3 



477 


with alternative data input and control systems for people with various keyboard impairments. These 
alternatives included head mounted laser pointers, foot switch, eye gaze, eye blink, and puff-and-sip 
switch scanned input systems (in which the user blows or sucks air to control a communications 
device) and other systems. In addition, I worked with Telesensory Systems’ alternative lap tray 
communications product called the Autocom, an electronic lap tray conununications system that 
used a magnetic selector puck, instead of a keyboard. 

METHODOLOGY, ANALYSIS, AND OPINIONS 

11. The Help America Vote Act of 2002 (“HAVA”) requires that all polling places in 

elections for federal office anywhere in the United States have at least one voting system that shall 
“be accessible for individuals with disabilities, including nonvisual accessibility for the blind and 
visually impaired, in a manner that provides the same opportunity for access and participation 
(including privacy and independence) as for other voters.” HAVA § 301(a)(3)(A), 42 U.S.C. § 

1548 1(a)(3)(A). 1 understand that Colorado’s statutes incorporate HAVA’s requirements regarding 
disability access for voting systems. According to the federal Election Assistance Commission 
(EAC), established by HAVA, “[cjompliance with Section 301(a)(3) requires that the voting system 
be accessible to persons with disabilities as defined by the Americans with Disabilities Act, 
including physical, visual, and cognitive disabilities, such that the disabled individual can privately 
and independently receive instruction, make selections, and cast a ballot.” EAC Advisory 2005-004, 
issued July 20, 2005 . This means, among other things, that States must acquire and make available 
to disabled persons voting systems that will accommodate the basic range of disabilities, including 
such as Cerebral Palsy, aphasia, low vision, blind, deaf blind, and hearing impaired.' The Diebold 
TSx, Sequoia Edge II, and ES&S iVotronic voting systems do not accommodate these disabilities 
adequately. 


Cognitive impairments are impairments that make it more difficult for a voter to process 
information. For example, voters who have suffered strokes will often suffer some degree of 
cognitive impairment. Voters with cognitive impairments often will require accommodations that 
allow them to receive information about the ballot in more than one form simultaneously — for 
example, visually and through spoken messages. 


4 



478 


Affordable Disability-Access Technologies Arc Readily Available 

1 2. Omission of proper access capabilities from the Diebold TSx, Sequoia Edge 11, and 
ES&S iVotronic DRE voting systems cannot be attributed to impracticality of undue cost or 
unavailable technology. Adding the necessary switch-control inputs, alternative tactile-key controls, 
speech output, and easy-to-read large-text display to electronic voting equipment does not have to 
entail major costs or great technology breakthroughs. 

1 3 . For over 1 5 years, computer hardware and software have been successfitlly assisting 
persons with a wide variety of disabilities to meaningfully communicate with and use computerized 
systems. Although not perfected and not implemented evenly across all possible applications, 
computerized access technologies have made most computer systems reasonably accessible for most 
persons with disabilities. This is especially true in the case of access to personal computers. 

14. Ivlany blind or low vision folks can now regularly use large-text, speech, or Braille 
interface systems on computers to do word processing, email, and web browsing. 

1 5. For over a decade, most personal computers have been able to speak to their users in 
a high quality voice, using only inexpensive software programs and the standard built-in hardware of 
the computer. Single-line Braille displays (although costing several thousand dollars or more) have 
been used by many blind computer users for decades. 

1 6. For over 1 6 years, the standard built-in video hardware of personal computers has 
been powerful enough to allow screen magnifier programs to magnify screen text and images, adjust 
contrast, and customize the colors used for screen text and background. 

1 7. For at least a decade, motor-impaired persons with some keyboarding capabilities 
have been typing on their personal computers, with the aid of software programs that adjust keyboard 
timing to prevent unwanted key presses or stuttering repeats. This type of keyboard access software 
also offers “sticky key” options to allow single-finger or mouth-stick entry of keystrokes that would 
normally require typing with two hands or multiple fingers. 

1 8. For decades, there have been alternative input-control systems that allow severely 
motor impaired persons to input text and control computers with just a couple of special switches 
(like foot switches, large “jelly” switches, sip-and-puff switches, head-movement switches, and eye- 
blink switches). Sip-and-puff devices are devices that attach to the voting machine and allow the 
voter to indicate his or her choices by sipping air from or puffing air into a tube. Jelly switches 
accommodate voting for dexterity-impaired voters. Jelly switches are large buttons that are easier 
for a person with limited hand strength and dexterity to press. Most of these switclr input systems 
use the standard 1/8-inch audio phone plug for their common interface. Head-mounted laser 
pointers, eye-gaze input systems, lap-tray puck-sensor systems, and voice-recognition systems are 
just a few of the many alternative input and control systems in common use for decades. 


5 



479 


1 9. Today, many folks have sophisticated computerized wheelchairs with built-in 
accessible communications systems that allow their users to send text messages and send control 
signals to other computer systems. 

20. To aid folks with hearing impairments, properly designed personal computer systems 
have, for many years, been able to route warning beeps through their sound systems and to 
redundantly indicate audible warning sounds, prompts, and messages with visual flashes, captions, or 
other visible cues. 

2 1 . This is not to say that all computer systems are completely accessible by all persons 
with disabilities. Rather, it is to demonstrate that many good, inexpensive, and mature access 
technologies have long been well known and readily available for computerized equipment designers 
to use in the design of equipment such as accessible electronic voting systems. 

22. Other voting systems incorporate many of the standard access technologies, listed 
above, either singly or in combination. For example, the Hart InlerCivic eSlate DRE and ES&S 
AutoMark ballot-marking machine both allow alternative input controls with switched devices, and 
the AutoMark and VotePad tactile ballot systems produce printed paper ballots that can be 
accessibly verified by voters with disabilities. 

Missing and Inadequate Access Features on the 
Diebold TSx, Sequoia Edge II, and ES&S iVotronic DREs 

23. 1 am thoroughly familiar with the disability access capabilities of the Diebold TSx, 
Sequoia Edge II. and ES&S iVotronic DRE voting machines, having reviewed the manufacturers’ 
specifications, attended vendor demonstrations, having personally tested the Diebold TSx in a 
demonstration ballot-marking environment, having personally tested the Sequoia Edge II by voting 
on it in several real elections, and having performed two separate hands-on trials of the ES&S 
iVotronic voting system. 

24. My own hands-on experiences with DRE systems manufactured by these vendors 
include the following; 

• 2002 demonstration of Diebold AcouVote-TS DRE (the predecessor to the Diebold TSx) in a 
League of Women Voters (“LWV”) booth, at a conference for the blind; 

• 2003 evaluation of Diebold AccuVote-TS, ES&S iVotronic, and Sequoia Edge with mock ballots 
at the Peninsula Center for the Blind and Visually Impaired, Palo Alto, California; 

• 2003 trial voting on Diebold AccuVote-TS in LWV booth at a conference for the blind; 

• 2004 trial with mock ballot on the Diebold TSx at the American Council of the Blind summer 
conference; 


6 



480 


• 2004 and 2006 voting four different times on Sequoia Edge 11 in Santa Clara County, California, 
elections; and 

• April 2006 personal testing of the Diebold TSx and the ES&S iVotronic at the National 
Federation of the Blind Technology Center in Baltimore, Maryland. 

25. 1 have also discussed, at length, the Diebold TSx, Sequoia Edge II, and ES&S 
iVotronic machines’ designs and performances with several experts on accessible electronic voting 
systems, who also have personally tested the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic 
DREs with their audio access systems. 

26. In addition to studying the VerifiedVoting.org and Electronic Frontier Foundation 
(EFF) descriptions of the features and operation of the Diebold TSx, Sequoia Edge II, and ES&S 
iVotronic, 1 have studied their specifications, features, and demonstration materials on the 
manufacturers’ web sites. These included detailed step-by-step descriptions of how to vote both with 
and without their audio systems, 

27. My persona! and professional background, my hands-on experiences, my review of 
the manufacturers’ and others' materials, and my discussions with expert users render me able to 
assess whether or not the Diebold TSx. Sequoia Edge 11, and ES&S iVotronic are able to 
accommodate voters with disabilities. In my opinion, none of these three DRE systems satisfies the 
disability access requirements of HAVA and Colorado State law. 

28. In short, it is my opinion that a large portion of Colorado citizens having disabilities 
and who attempt to cast their votes on Diebold TSx, Sequoia Edge 11, or ES&S iVotronic voting 
machines will be unable to do so privately and independently. Below, 1 will explain each of the 
deficiencies identified above. 

The Subject DREs’ Failure to Accommodate Severe Dexterity Disabilities 

29. As stated above, in order for a voting system to comport with federal requirements, a 
voting machine’s adaptive technology must accommodate not only blind and low vision persons but 
also persons with physical disabilities, such as dexterity disabilities, as well as persons with hearing 
impairments, or cognitive disabilities. 

30. There currently exist available adaptive technologies for persons with various 
keyboard impairments and complete inability to use hand controls, and these technologies are readily 
adaptable to voting machines. Such technologies include head switches, fool switches, giant jelly 
switches, and sip-and-puff switches. The only practical way to connect these adaptive devices to a 
computer or other equipment the user wishes to control and operate, such as a voting machine, is 
through a standard i/8-inch phone-plug dual-switch interface. Diebold TSx. Sequoia Edge 11, and 
ES&S DRE voting machines do not support these standard two-switch systems. Voters with manual 
dexterity disabilities who use a sip-and-puff switch, a foot switch, a head switch, or any other dual- 
switch adaptive device cannot plug that device into the Diebold TSx, Sequoia Edge II, or ES&S 
iVotronic to gain control over the system. Voters with manual dexterity disabilities who are unable 


7 



481 


to use these three voting systems’ manual selection buttons or touch screen are thus prevented from 
casting a vote using these voting systems. These defects deny voters with severe manual dexterity 
disabilities the same opportunity for access and participation (including privacy and independence) 
enjoyed by other voters who use these three voting systems, 

3 1 . Dual-switch adaptive technology has been available for more than 1 5 years, is 
affordable, and is easy to implement. The failure of the Diebold TSx, Sequoia Edge 11, and ES&S 
iVotronic voting systems to include dual-switch adaptive technology is inexcusable and makes the 
systems inaccessible to most people with severe manual dexterity disabilities. 

32. The sip-and-puff option proposed for the Sequoia Edge II would work only with 
audio output, and without visual display. It would force voters with severe motor impairments to 
vote as though they were also totally blind. Because Sequoia’s sip-and-puff switch controls would 
only give voters the “Forward” and “Select” control input functions, they would not have access to 
the “Help” functions and would not be able to back up to hear something again or make corrections. 
Additionally, the audio orientation instructions and prompts are for using the tactile keypad and are 
totally inappropriate for two-switch users. This attempt to offer a sip-and-puff interface is bogus and 
not what the access industry would normally consider to be a two-switch or sip-and-puff interface. 
Normally, a two-switch interface to a system with a visual display would permit the user to select 
items on the visual display, instead of forcing them to use an exclusively audio output system built 
for blind users. Sequoia’s proposed interface is token and represents a poorly considered, tacked-on 
approach to accessible voting system design. It will not functionally meet the needs of most of the 
severely motor impaired voters. 

33. The Diebold TSx, Sequoia Edge 11, and ES&S iVotronic DRE voting machines also 
do not support computerized communicators such as head-mounted laser pointers, eye gaze, eye 
blink, and electronic lap-tray puck-selector systems because they do not support serial or other 
standard I/O interfaces. Therefore, voters whose dexterity disability requires them to use adaptive 
technologies are not afforded “the same opportunity for access and participation (including privacy 
and independence) as for other voters” on these three voting systems, nor can a voter with such a 
physical disability “privately and independently receive instruction, make selections, and oast a 
ballot.” 


Inadequate Keypads 

34. As specified in section 508 of the Americans with Disabilities Act (ADA): “Controls 
and keys shall be operable with one hand . . . .” Many voters with motor impairments cannot bold 
the Diebold TSx, Sequoia Edge II, or ES&S iVotronic tethered keypads in one hand, while 
attempting to press keys with the other. 

35. Unlike smaller and more ergonomically designed single-hand-operated remote 
controls for television sets, the large size and form factor of the Sequoia Edge II and Diebold TSx 
keypads do not facilitate their use as a keypad held in a single hand and operated by the thumbs of 
the same hand. 


8 



482 


36. Allhough Diebold's own literature represents the TSx’s tethered keypad as a “tactile 
keypad,” their telephone keypad with a bump on the 5 key is not what the access industry considers a 
tactile keypad. Its keys are much too small and too close together for most persons with major motor 
impairments to be able to use it. There are too many keys, including keys that have no function at 
all. Proper accessible keypads should have only a few keys and the keys should be much larger and 
be spaced further apart. Additionally, the keys should have high-contrast coloring, large print labels, 
and unique tactile shapes; all chosen to make them simple to discover, to identify intuitively, to 
remember easily, and to locate quickly. 

37. The Sequoia Edge II tethered keypad is so big and bulky that many voters, not to 
mention those with dexterity impairments, find it very awkward to hold and operate, even with both 
hands. 


38. Because the Sequoia Edge II has no built-in keypad cradle or place to park the 
keypad without being held by the voter, a standing voter is forced to try to hold the keypad in one 
hand and operate it with the other. 

39. There is no place to leave the Sequoia Edge 11 keypad when you are through voting. 

1 have personally found Sequoia Edge II voting machines in polling places with the keypads and 
earphones left hanging over the edge, by their cables, and dragging on the floor. 

40. The Braille labels on the keys of the Sequoia Edge II keypad are difficult to read. 
They do not have the Braille dots spaced properly, with the standard Braille dot spacing. They are 
also so close to the back edge of the keys that it is difficult for many Braille readers to get their 
finger tips onto the dots to feel them. 

41 . The volume control slide pot on all of the Sequoia Edge II systems I’ve tried are of 
poor quality, noisy and scratchy, and there is no tactile indication for where it should be set for 
normal operation. Consequently, 1 missed the initial instruction message of the system before 1 
figured out how to get the volume set properly. 

42. The ES&S iVotronic does not even have a built-in volume control. 

43. The Sequoia Edge 11 keypad has no speech rate control. Similarly, the ES&S 
iVotronic lacks a “speed control” over the audio output. This is important for the elderly and people 
with leaniing disabilities, cognitive disabilities or special needs who need to listen to the instructions 
and ballot selections at a slower rate than the fixed, default rate set by the system, while other voters 
cannot stand to listen to tediously slow speech. Voice speed control is standard adaptive technology 
that has been around for many years. It can be easily implemented, and commonly has been 
implemented, in computer systems, including electronic voting systems. 

44. The data cable on the back of the Sequoia Edge 11 is so flimsily attached that the 
cable has to be secured to the back of the keypad by a tie wrap. This was clearly designed with the 
wrong type of connector plug. 


9 



483 


45. The chalienge of using such keypads or touch screens, for many folks with motor 
impairments, may be better appreciated if you imagine yourself trying to operate the touch screens, 
the keypad of the Sequoia Edge II, or the telephone-style keypad of the Diebold TSx with the heel of 
your hand, your elbow, a rod held in your armpit, or a small baseball bat held in your mouth. Instead 
of the small, indistinct, closely spaced keys on the Diebold TSx’s telephone-style keypad, other 
voting devices such as the ES&S AutoMark have large, widely spaced, and distinct tactile keys. 

46. The ES&S iVotronic also needs, but does not have, a detachable keypad that can be 
positioned on the lap, hand, or other convenient place if required. If designed properly, this adaptive 
tactile keypad technology, which has also been around for a long time, would allow more voters with 
motor impairments or reaching impairments to operate the input controls. 

47- The proper operation of the system by the voter should be highly discoverable. This 
means that a voter should be able to figure out how to use the system withoutprevious training and 
without significant instruction by a poll worker. To aid in this discovery, the Diebold TSx, Sequoia 
Edge II, and ES&S iVotronic should have audio key describer features, such as holding the Help key 
down while pressing a second key to produce a message describing the second key’s function. 

48. Additionally, the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic each need, but 
do not have, practice modes with a simplified example mini ballot, to give the voter who needs it a 
comfortable opportunity to figure out how to view, mark, review, and correct their choices. 

49. The Diebold TSx, Sequoia Edge 11, and ES&S iVotronic also do not have a “Call for 
Help” key or other control to discretely summon assistance from a poll worker. 

50. As demonstrated in the Trace Center (Madison) proposal for an ideal voting system, 
the Diebold TSx, Sequoia Edge II, and ES&S iVotronic should (but do not) have an 1/8 inch phone 
jack (separate from the headphone jack) on the keypad, for attaching a sip-and-puff or other standard 
switched input-control device. 


10 



484 


Inadequate Audio Interfaces for Blind and Low Vision Voters 

5 1 . The Diebold TSx, Sequoia Edge 11, and ES&S iVotronic, from my direct experience, 
have no more than poorly fimctioning and ineffective audio interfaces. 

52. The designs of the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic DREs require 
poll workers to enable the audio function for the voter. The selection of this access option and 
others, such as larger or smaller text size, should be available at all times, for selection by the voters 
themselves. Choosing to use access features should not require poll worker intervention such as 
reprogramming of the voter identification card (as is required by the Diebold TSx system), nor 
rebooting the system (as is required by the Sequoia Edge 11). The current state of adaptive 
technology allows for people with visual disabilities to do “discovery” and “personal adaptation” on 
well-designed computer systems without intervention (i.e., the ability to go to a computer system and 
immediately begin to privately adapt it for personal use). Just as voters can select a language choice 
on these systems by themselves, they should be able to select audio mode or video viewing 
enhancements by themselves, without the intervention of poll workers or third parties. There is no 
good reason that voting systems could not have personal configuration abilities for selecting access 
media- 


53. The absence of this technology to allow immediate use and adaptation by people with 
disabilities without third party intervention causes several problems for people with visual and other 
disabilities. One is the total lack of privacy, as the voter is required to inform election officials in 
front of other people of his or her disability and the need for assistance, denying that voter privacy 
and independence. This problem is particularly acute for people who prefer to keep secret the fact 
that they have visual or reading impairments or other special needs. 

54. Another problem with running the system in a completely separate audio mode is the 
possibility that the system will malfunction when it operates in a separate, special audio mode. In 
one well-publicized demonstration to California voting officials, a Sequoia voting system 
misrepresented votes when it was switched to Spanish language mode. A similar problem could 
occur when the ES&S iVotronic is switched to a special audio mode. 

55. Voting with audio output on the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic 
is an excessively slow and tedious process. In the case of the Diebold TSx, this is due, in large part, 
to its annoyingly long, pregnant pauses between phrases or messages. It also has overly verbose 
prompts that relentlessly keep repeating unnecessarily long messages throughout the ballot marking 
process. However, when you need it to talk, the Diebold TSx audio prompting does not tell you how 
to return to reviewing the ballot. 

56. Moving back and forth between reviewing and making changes in the Diebold TSx 
ballot can be a long, slow process, because it usually requires many repeated pressings of the forward 
or backup keys. 


II 



485 


57. Many voters using the Dieboid TSx, Sequoia Edge 11. or ES&S iVotronic audio 
access feature would not be able to navigate their co^iliveiy difficult hierarchical menus and ballot 
marking, review, and correction systems. 

58. For example, the ES&S iVotronic voting system uses a complicated and confusing 
process for navigating its hierarchical menu system. Its poorly worded messages and complicated 
logic make it difficult to use, especially for the elderly and people with learning disabilities or 
cognitive impairments. A good example is that one button (the green, diamond-shaped button) is 
used on some screens to select a candidate but used elsewhere to move to the next race. A voting 
system with good human factors design would not have more than one function per button, to avoid 
confiision and erroneous voting. The navigation buttons also can cause confusion about what race 
you’re on and who you’re voting for. For example, initially, the voter is placed in the top level, or 
contest level, of the hierarchy, and uses the yellow “Up and Down” arrow buttons to move from 
contest to contest, and presses the green “Select” button to enter a race. Once in a particular race, 
the voter is at the bottom, or candidate level, of the hierarchy and again uses the “Up and Down” 
buttons to move from candidate to candidate. The voter presses the “Select” button to choose the 
candidate of his or her choice within that race. The problem is that if a voter moves past the last 
candidate in a race, the system immediately moves back up a level in the hierarchy to the contest 
level, positioned on the next race. If the voter realizes that he or she has been automatically moved 
out of one race into another race, they would have to move back to the original race they were 
working on and again press the Select button to move back down into the candidate level. If the 
voter doesn’t comprehend what has happened in these situations (as is likely with the elderly or 
people with learning disabilities, cognitive impairments, dyslexia, or other special needs), the voter 
may be confused and think that he or she is selecting a candidate for one race while the system has 
actually moved on to another race. 

59. In my opinion, this confusing system of input controls and multilevel menu system 
renders the ES&S iVotronic inaccessible to people with certain visual or cognitive impairments. 

This overwhelmingly complicated system will also cause some people with disabilities to skip voting 
altogether, or to “short circuit" the process, such as skipping the summary page. Incredibly, reading 
the summary page is the only way for a voter to confirm if they have “under-voted” (i.e., failed to 
vote for enough candidates for every race). 

60. An additional frustration 1 encountered with the speech on the Dieboid TSx, Sequoia 
Edge II, and ES&S iVotronic DREs was that the volume on some of the messages was so much 
lower than the rest of (he messages that I had to turn up the volume, repeat the message, and then 
turn the volume back down before proceeding. The volume on all the messages should be 
normalized to make them the same. This is easy to do and should be done for all messages. 

61 . To support the needs of audio voters who have major hearing loss, a high volume 
boost capability should be but is not available for Dieboid TSx, Sequoia Edge 11, or ES&S iVotronic 
machines. 

62. When using audio output, the voter should always be able to turn off or on the visual 
display output. This would allow audio-only voters to have better privacy, if they want it, while 


12 



486 


allowing them to re-enable the visual display whenever they desire. For example, it might be helpful 
for the voter to enable the visual display when asking for assistance from a sighted poll worker. 
Neither the Sequoia Edge 11 nor the ES&S iVotronic have a control to enable the video display while 
using the audio-voting feature. 

63. If you are forced to stand while voting with either the Diebold TSx or Sequoia Edge 
11, you will need to detach the keypad from the side of the DRE and hold it in your hand. 

64. As a Braille reader, 1 have found it extremely difficult to read the Braille notes 1 
bring to the polling place, while trying to also hold and operate a keypad. When reading Braille, it is 
important to be able to keep one’s place by keeping one hand on the Braille text. Having to switch 
back and forth between reading Braille and holding the keypad is tedious and time consuming, 
especially on long ballots. A lot of time is wasted each time 1 switch from holding the keypad to 
finding my place again in my Braille notes. The Sequoia Edge 11 has no cradle or other place to park 
its keypad for single-handed operation. This makes it very awkward and difficult to read Braille 
notes while using these keypads. 

65. Unlike the keys of the Diebold TSx keypad, keys that are used to move forward or 
backward in an audio ballot should have shapes that indicate direction. For example, arrow-shaped 
keys that intuitively indicate their direction through the ballot choices. 

Failure to Accommodate Voters Who Require Both Visual and Audio Access 

66. The Sequoia Edge II and ES&S iVotronic systems do not allow for simultaneous and 
synchronized audio and video outputs. In other words, if these systems are in audio mode, the visual 
displays are disabled, and if the systems are in visual mode, the audio mode is disabled. This failure 
to allow simultaneous and synchronized audio and visual outputs makes the systems inaccessible for 
voters with visual impairments who require or prefer to have audio assistance when viewing the 
video display of ballot selections. This problem is particularly acute for elderly voters who have 
developed severe visual impairments with age but are unfamiliar with, and unable to cope with, 
audio-only access technology because they have previously had good enough eyesight for most of 
their lives. For these voters, neither a fully adjustable touch-screen display nor the audio access 
alternative is sufficient by itself Rather, they require the simultaneous use of both audio and video 
display systems in order to vote independently and privately. 

67. Empirical studies have confirmed that multi-sensoiy outputs are more accessible to 
voters with disabilities than single-sensory outputs. Indeed, these studies have shown that multi- 
sensory output systems reduce error rates for all voters. Adaptive technology that allows for such 
multi-sensory outputs has been around for many years, is affordable, and is easily iihplemented into 
computer systems. There is no good reason for the Sequoia Edge II and ES&S iVotronic voting 
systems to lack such basic access technology. 

68. Proper operation of simultaneous audio/visual access does not mean just having the 
audio/keypad and video/touch screen working at the same time, as separate systems. Rather, it 
means that they must be integrated in a synchronous fashion. In a synchronous audio/visual output 


13 



487 


system, selecting an item on the touch screen highlights it visually and also synchronously speaks it 
through the audio output. 

69. Similarly, selecting an item with the keypad or switch input control alternatives 
should cause the item to be both spoken and visually highlighted. 

70. Synchronized redundant input controls and output media allow the voter to play to 
their own strengths by focusing on the combination of controls and output that best fits their personal 
abilities. 


71 . Synchronized audio and visual display would also be valuable when the audio voter 
needs some assistance from a poll worker (assuming the voter has the ability to easily turn the visual 
display mode on and off and gets audible acknowledgement of the display mode). 

72. For similar reasons, it is unreasonable to expect people who may have no visual 
impairment but are severely motor impaired to be able or willing to use only audio output to read and 
mark their ballot on the Diebold TSx, Sequoia Edge II, or ES&S iVotronic DRE machines. 

73. The Diebold TSx, Sequoia Edge II, and ES&S iVotronic voting machines do not 
permit voters with disabilities to select their audio and visual display modes by themselves. Instead, 
they must get a poll worker to assist them by selecting the audio or visual modes for them. This 
requires that the disabled voter is aware of, and knows how to ask for, the proper audio/visual mode, 
and requires that the poll workers know how to properly select the synchronized mode for the voter. 
Synchronized audio/visual access mode should b the default access mode for all electronic voting 
systems. 

74. In practice, the lack of technical training and expertise of poll workers has meant that 
many visually impaired voters have not been aware of the audio/visual access mode or have been 
unable to get their poll workers to set up their Diebold TSx, Sequoia Edge 11, or ES&S iVotronic 
voting system properly to use it. For example, Karyn Campbell, in an article she sent to the 
American Council of the Blind Discussion List and other groups, described her first experience 
voting with a Diebold TSx machine in the Illinois March 2006 primary. She explained that she 
asked for an audio ballot, and had to have poll workers reprogram her voter ID card, as it did not set 
up the Diebold TSx properly the first time she tried it. When she put the reprogrammed card in the 
Diebold TSx machine, it started working in audio mode, but with the video output in the wrong 
mode. Not wanting to push her luck, she gave up and went ahead and voted with the Diebold TSx 
machine not configured as she needed. 

75. In my own first voting experience with the Sequoia Edge II, the poll-workers were 
never able to get the DRE working in audio mode, even after 45 minutes of reading manuals and 
calling voter tech support service centers. 

76. Because low vision voters would like to use large, clear text on the screen and may 
have difficulty detecting eavesdroppers, the lack of a privacy surround curtain enclosing the booth 
area (not just token privacy side panels), appears to be a serious or even totally unacceptable privacy 
breach. The side privacy panels of the Diebold TSx, Sequoia Edge II, and ES&S iVotronic systems 


14 



488 


are inadequate for assuring privacy for all voters. The lack of a privacy curtain adequately enclosing 
the booth area creates an unacceptable privacy exposure. 

77. The access functions of the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic 
systems are also not suitable for providing accessible voting to voters who are both profoundly 
hearing impaired and visually impaired. The lack of a standard output interface port means that, for 
example, a deaf-blind voter cannot bring his or her own portable Braille display device to the polls 
and plug it into a standard output plug of the DRE, in order to read the instruction materials, mark, 
review, and correct his or her ballot privately and independently. 

78. In order to provide accessibility for people with hearing impairments, these DRE 
systems should have a “boosted” high volume capability for audio voters who normally need the 
higher volume levels of assisted listening. The absence of such a “boosted” volume setting on these 
DRE systems means that the systems are inaccessible for some audio-using voters with severe 
hearing impairments. 

79. For voters who are low vision but not blind, the Diebold TSx, Sequoia Edge II, and 
ES&S iVotronic do not provide the combination of touch-screen display modification capabilities 
necessary to accommodate the range of vision impairments. Vision impairments vary considerably 
from person to person. An adequate display modification system permits the user to change contrast, 
foreground and background colors, fonts and font size, with options for multiple font sizes or for 
zoom magnification. 

80. The Sequoia Edge II and ES&S iVotronic are not accessible for some people with 
astigmatism, color blindness, or other visual impairments because they do not provide for contrast 
control or foregroundAtackground color selection. Contrast control allows for adjustment of the 
display's contrast sharpness (i.e., high, medium, or low) while color selection allows a person to 
change from the default “black text on a white background” display to “white text on a black 
background” or some other color combination. Some visually impaired people prefer and need 
different colors or contrasts in order to read effectively. This adaptive technology has been around 
for 1 6 years or more, is affordable, and is easily implemented into computer systems. Here also 
there is no good reason for the Sequoia Edge 11 and ES&S iVotronic not to include this video access 
technology. The Diebold TSx also lacks many of the visual display enhancement adjustment 
features that should be available to make these voting systems more readable by low vision voters. 

81 . The Sequoia Edge II and ES&S iVotronic do not have voter-adjustable font size or 
magnification capabilities. 

82. For the reasons discussed above, the Diebold TSx, Sequoia Edge II, and ES&S 
iVotronic DREs fall far short of meeting HAVA and Colorado’s statuloiy standards. Enhanced 
display technologies for low vision users have been available for over 16 years and it should be easy 
to add this capability to computerized voting machines. As other DRE manufacturers have managed 
it, there appears to be no good reason that the manufacturers of the Diebold TSx, Sequoia Edge 11, 
and ES&S iVotronic voting machines could not have easily adapted their designs to provide 
accessible visual display technology. 


15 



489 


VVPAT Printouts Are Not Accessible to Many Persons with Disabilities 

83. When attempting to read the output of the Voter Verifiable Paper Audit Trail 
(“VVPAT”) printers in Diebold TSx, Sequoia Edge II, and ES&S iVotronic DREs, voters with low 
vision can only achieve useful magnification of the printout through external lenses. For non visual 
readers and for voters whose impairments prevent them from positioning themselves close enough to 
the WPAT printer view window to read the printout, verifying their own vote on the verification 
paper printout is not possible. Using the audio read back feature of the DRE to confirm their 
electronic ballot marking in the DRE does not allow them to verify that their vote is recorded 
properly on the VVPAT paper printouts. 

84. For example, the ES&S iVotronic voting system provides a WPAT by means of a 
printer attached to each device that records on a rolling paper scroll the selections of voters as those 
selections are made. A voter verifies his or her vote on the audit trail by viewing the printout of that 
vote on the paper scroll through a small, “audit log window” on the printer. The ES&S iVotronic 
WPAT, however, is not adaptable for, or useable by, many people with visual or motor disabilities. 
Blind voters cannot read the printout at all, and other visually impaired people might only be able to 
read this paper with the assistance of external lenses. Verification is also not possible for many 
voters with motor disabilities (e.g., those who use wheelchairs) whose impairments prevent them 
from positioning themselves close enough to the VVPAT printer audit log window to read the 
printout. 

85. Because these three DRE systems lack a VVPAT that all visually impaired or motor 
impaired voters can use, they do not afford the same opportunity for access and participation 
(including privacy and independence) as for other voters on these voting systems. Instead, the 
electronic voting machines give voters without visual or motor impainnents a verification feature not 
made accessible to visually impaired or motor impaired voters. 

86. With respect to the Diebold TSx, verification of the printout is also not possible when 
the tablet portion of the Diebold TSx is removed from the base, for example, to place it in a voter’s 
lap or to take it outside for use in an automobile. 

87. The WPATs are really not accessible for most of the voters with disabilities or 
special needs. When representatives attempt to justify the lack of fully accessible WPAT printouts 
by saying that it isn’t important or doesn’t matter because “other voting systems vendors don’t have 
it,” they are simply wrong. Adaptive technology to provide visually impaired and motor impaired 
voters with VVPAT capability is currently available, and systems such as the AutoMark Voter Assist 
Terminal (manufactured by ES&S) and VotePad (a tactile ballot sleeve technology), both of which 1 
have tested, are able to provide accessible verification with standard paper ballots, the failure of the 
Diebold TSx, Sequoia Edge II, and ES&S iVotronic voting systems to include accessible VVPAT 
technology cannot be justified. 

Experience Voting in Actual Elections on the Sequoia Edge 11 DREs 


16 



490 


88. I have attempted to vote on Sequoia Edge 11 DRE machines in four separate 
elections. The first time, in March of 2004, the poll workers were never able to get any of the 
machines at our polling place rebooted with the audio-assist feature working. After 45 minutes of 
struggling with the systems, we gave up and 1 had to have someone else do my voting for me. 

Clearly these Sequoia Edge DREs were not designed correctly to be operated by poll workers 
lacking high levels of technical sophistication. 

89. My experience voting on the Sequoia Edge 11 DRE with the audio-assist feature in 
the November 2004 election illustrates the problems that blind and visually impaired voters face 
when attempting to vote on Sequoia Edge 11 DREs. 

90. After signing in, and getting my voter smart card, 1 had to wait eight minutes for 
officials to manage to reboot the audio voting machine. The polling officers had been using it for 
visual touch-screen voting, as there was a very long line and just five voting machines for our 
combined two-precinct polling place. 

91 . 1 had my notes in Braille. Because there was no table surface for the notes, the poll 
workers had to find me a chair so 1 could read my notes with the Braille on my lap. 

92. The volume control on the front of the Sequoia Edge 11 keypad was not working well 
and resulted in scratchy and intermittent sound. By the time 1 got the volume set to where I could 
understand it, the introduction message had already finished the English instructions and was off into 
other languages. I was not sure what 1 should do, so I finally gave up and pressed the select button. 
This eventually got me to the language menu, where I was able to select English and get started with 
my ballot. 

93. The first major problem 1 had was that the ballot on the Sequoia Edge 11 voting 
machine was not in the same order as the printed sample ballot. When my wife pointed this out to 
the chief poll worker, the poll worker was surprised to see the difference and said maybe that would 
explain why it was taking most voters longer than expected to vote. Because my notes were done in 
the order of the sample ballot, I had to do a lot of hopping around in my notes and be very thorough 
and careful listening to the machine. In contrast to what we had been told, the list of candidate 
names was spoken in alphabetical order. 

94. It took me 30 minutes to work my way through the ballot and make my selections. 
After that, 1 had quite a bit of trouble getting into the review mode, to get a full list of all my 
selections. When I did, it went on and on, for 23 minutes, like a long uncontrolled drink from a fire 
hose. The review ftinction read each item, and then, at the very end, said what my selection was for 
that item. It even threw in the details of what the fiscal impact would be, and took forever. This is 
completely backwards. It should announce the name of the item, then state my selection, and then 
read the rest of the information for that item. Also, 1 should have the control to press the arrow key 
to move forward or backward through the items, without having to listen to all the text about every 
item. 


17 



491 


95. When 1 did find that I had made a mistake in my selections, I had to wait until the 
end of the whole review process to correct it, instead of being able to stop, make the change, and 
then continue with the review where I left off. I did not want to abort the ballot verification review 
to make a correction, and then have to start the long, tedious review all over again. 

96. When 1 later attempted to change one of my selections from “no" to “yes,” the 
machine would not let me just select “yes.” until 1 had first gone to the unwanted choice and 
deselected it. This was very awkward and confusing. This is just poor human factors design for 
anybody, but especially for those using the audio assist feature. Many voters using the audio assist 
feature would not be able to navigate this difficult review and correction procedure. 

97. At one point, as I was nearing the end of the ballot, 1 was dumped back into the 
language selection menu. I found out later that this was because the Sequoia Edge II has a timeout 
function that did this because 1 hadnT hit a key in quite a while. 1 hadn’t hit a key for a while 
because it was taking a very long while to read out the long ballot summaty! This is terrible human 
factors design. If a system is trying to present a helpful prompt when it senses an overly long 
delayed response from the user, it should never bounce the user off into a different place in the menu 
system. It might prompt the user, but it should then leave them at their previous position, to 
minimize contusion. Furthermore, the timeout should not begin until the system has finished reading 
out its message — in this case, after the whole ballot review summary. For a scary minute, I was 
afraid I had just lost my ballot and would have to start all over. 1 re-selected “English” and 
fortunately was returned to my previous location in the ballot. 

98. An additional frusti ation was that the volume on some of the messages was so much 
lower than the rest of the messages that 1 had to turn up the volume, repeat the message, and then 
turn the volume back down before proceeding. The volume on ail the messages should be 
normalized to make them the same. 

99. From the time I signed in and got my voter smart card, it took eight minutes to reboot 
the machine as an audio voting machine, 30 minutes to make my choices, 23 minutes to review and 
verify, and another four minutes to make a correction and record my vote. Not counting the hour 1 
had waited in line, it took me about 65 minutes to mark and record my ballot. 

1 00. It would have taken even longer if 1 had been willing to wait, as prompted, until the 
end of each message to push the “select” button. The messages mislead some folks because they say 
something like, “at the end of this message, you can press the . . . This implies that you are 
supposed to wait until the speech message finishes. 

101. 1 must emphasize that, in my opinion, my ability to navigate this process at all was 
due to my familiarity with computers and computer technology. 1 doubt that many blind or visually 
impaired voters would have been able to navigate it at all. 

102. As an expert in the design of audio access technology, it is my opinion that the 
Sequoia Edge II system was incompetently designed. 


18 



492 


103. The Sequoia Edge il audio review process is totally unacceptable and would cause 
most voters with disabilities to skip the review, 

104. There were at least two times when 1 wanted to ask for help from the poll workers. 
One was during the confusion 1 encountered from the difference between the printed sample ballot 
and the DRE ballot. The other time was near the end of my ballot marking, when I had a lot of 
trouble getting the review started and then was trying to find and change a mistake I found during the 
review. Because the poll workers would not be able to look at a working visual display on my 
system, and didn’t have any way to join me in listening to the audio output of the machine, 1 knew 
that 1 couldn't get much help from them (even though our head polling officer seemed very 
knowledgeable and helpful), 

105. In November of 2005 1 once again had a very frustrating experience attempting to 
vote with the Sequoia Edge II machine. 

1 06. The polling oflicers (who were actually very pleasant) thought that they had booted 
the machine into audio mode first thing in the morning but they had not. Once they realized that it 
was not in audio mode, they could not figure out how to reboot the DRE into audio mode. After my 
wife read their manual and figured out the correct audio boot up process, she finally managed to get 
the machine properly rebooted and talking for them. This rebooting fiasco took 18 very frustrating 
minutes. 

1 07. After the Sequoia Edge II voting machine finally started talking, it took me about six 
minutes to fill out the ballot, seven minutes to review my vote, and another minute to record my 
ballot and finish. Total time in front of the machine was 32 minutes. Luckily it was a short ballot 
with just eight choices. 

108. After 1 initially made all my ballot choices, the Sequoia Edge 11 machine prompted 
me with a message that said something like “You are finished voting” instead of “If you are finished 
voting . . which is likely to cause some folks to walk away before their vote has been properly 
recorded. It should more obviously prompt with something like “If you are done making your 
choices, press select to record your vote.” Many of the factory built-in prompts of the Sequoia Edge 
11 audio-assist feature are similarly poorly worded and misleading or confusing. 

1 09. Additionally, understanding the locally recorded November 2005 ballot messages 
was very difficult, because they had used a non-native reader who had a very thick foreign accent. 
Clearly, if I hadn’t been very tenacious and hadn’t taken my owii computer expert along when ! went 
to vote, 1 wouldn’t have been able to vote privately. 

1 10. More generally, I must emphasize that, in my opinion, my ability to independently 
navigate the Diebold TSx, Sequoia Edge 11, and ES&S iVotronic voting processes at all was due to 
my familiarity with computers and computer technology. Many blind, low vision, and cognitively 
impaired voters would not be able to successfully navigate through the Diebold TSx’s, Sequoia Edge 
II’s, and ES&S iVotronic’s hierarchical menu systems. 


19 



493 


HI. Additionally, as one familiar with the technology, I was far more likely than the 
typical voter using audio access to be able to figure out how Sequoia audio features worked and were 
structured, yet 1 had considerable difficulty that slowed the voting process. Many voters forced to 
use the audio-assist features might be embarrassed to tie up a voting machine for long periods, or not 
have sufficient patience, and therefore decide not to vole the entire ballot or not to fully review their 
selections before casting their ballot. 

112. What 1 have heard from other votere, even sighted voters, is that they have often 
caught ballot marking mistakes in the review process. It is clear from this and from my own 
experience, that we really have to go through the review process in order to make sure that our 
ballots are accurate. The Diebold TSx, Sequoia Edge II, and ES&S iVotronic review processes are 
likely to cause most voters with disabilities to give up and skip the review. 

1 1 3. The problems that poll workers have had properly setting up the Diebold TSx, 
Sequoia Edge 11, and ES&S iVotronic voting systems for use by disabled voters show that the 
machines are not designed properly for operation by the general population of poll workers. The 
problem is due to flaws in the human factors design of the DREs, and should not be blamed on the 
poll workers' or voters' lack of technical expertise. Clearly, these Diebold TSx, Sequoia Edge II, 
and ES&S iVotronic DREs were not designed correctly to be operated in the real world by normal 
poll workers lacking high levels of technical sophistication and training. 

1 14. The June 6, 2006, primary election in Santa Clara County was my fourth opportunity 
to attempt to vote on the Sequoia Edge 11 electronic voting systems. For 12 minutes, the poll 
workers struggled with trying to get the system talking. By watching the screen for them, my wife 
was able to tell them it wasn’t setting up correctly. The poll workers tried repeatedly to program the 
voter ID card properly so it would cause my voting machine to talk. Fortunately, 1 remembered that, 
at the last Voter Access Advisory Committee meeting, a member of the ROV staff told me that the 
Sequoia ID card encoder did not show a menu choice for the audio voting mode. Our poll workers 
did not know that, just before the final step of encoding the ID card, they were supposed to issue a 
special menu command to bring up a hidden menu for selecting audio access mode. 

1 1 5. After I explained this procedure for properly using the card encoder, they were 
eventually convinced to try it and were finally able to make me an ID card that actually worked and 
brought the machine up in the audio voting mode. What did happen, and what will happen in the 
general elections, to all the folks who were not told or did not remember enough to convincingly tell 
their poll workers how to encode their cards properly for audio access mode? They will not be able 
to vote using the Sequoia Edge 11 machines. 

1 16. One of the plaintiffs in the California voter action, which is challenging certain DREs 
like this Colorado action, had to wail, after getting her voter tt» card encoded, for the person in front 
of her to finish voting on the audio access Sequoia machine. 'When it was her turn to vote, the 
Sequoia Edge II rejected her voter ID card, as it had exceeded the 30-minute time-out limit. She had 
to have her card encoded several limes more, before the poll workers could finally manage to get it 
properly set up to put the Sequoia Edge II machine in audio access mode. 


20 



494 


117. After 1 2 minutes waiting for my Sequoia Edge II machine to be configured in audio 
mode, it took an additional 3 1 minutes for me to successfully navigate my way through the ballot 
marking procedure. It then took eight more minutes for it to play out the ballot review. At this 
point, 1 decided that 1 needed to change one of my votes to a write-in and that procedure took another 
seven minutes. 

118. By the time the Sequoia Edge 11 system printed the paper frail and then spit out my 
voter ID card, I had spent a total of 59.5 minutes— nearly an hour — tiying to vote privately. 

119. There were several other problems I encountered while trying to vote on this Sequoia 
Edge II voting system. The voter ID card slot was hard to find, as it was located so low on the front 
bottom of the machine and lacked a good tactile guide bezel around its opening. 

120. The locally recorded audio messages were distorted and poor quality from the 
speaker blowing on the microphone. 

121. At least three times while 1 was voting the Sequoia Edge 11 timed out and put me 
back in the language selection menu, where it then required that 1 press the Select key twice to exit 
the language menu and return to ray previous position in the ballot. 

122. Since the June 2006 primary election, Tve heard from other voters who voted in 
precincts of Santa Clara County that the precincts were using the cardboard privacy panels from the 
old punch-card booths, in hopes that would afford a better privacy shield than the flimsy panels that 
normally are attached to the sides of the Sequoia Edge 11 units. 

123. Because of the width of the combined printer and Sequoia Edge II touch screen unit, 
the printer would have to be discormected and removed from the touch-screen device and placed in a 
wheelchair voters lap to enable that voter to vote. A motor-impaired friend of mine who tried this 
found that he had to have a poll worker stand behind the Sequoia Edge 11 touch-screen unit and hold 
up its back end to keep it from falling off his lap while he voted. The Sequoia Edge II is clearly not 
designed to work in the lap of someone in a wheelchair. 

1 24. The legs of the Sequoia Edge II stand appear to be only about 1 6 inches apart, too 
narrow for some wheelchairs. 

125. When the system printed my vote on the WPAT roll-to-roll printer, I asked my wife 
to take a look at it, to verily ray vote for me. It turns out that if 1 am using the audio access feature 
and have a multi-page ballot, the printer prints out the whole ballot in one shot, and then clears it out 
of the viewing window, without any break to stop and permit me to have a sighted friend read the 
paper trail for me. When sighted folks are printing their ballot on the WPAT without audio, it only 
prints a single printer page’s worth at one time and then pauses for the user to press a button to make 
it print the next page, after the voter is ready. 

126. Because the manufacturer of the Sequoia Edge 11 syslem knows that blind voters will 
not be able to read and verify the paper trail themselves, the manufacmrer incorrectly assumes that 
all audio voters want the whole ballot printed out without any pauses for viewing by anyone. 


21 



495 


1 27. One of the Sequoia Edge 11 voting machines in our polling place was broken and 
taken out of service. Luckily for me, it was not the audio access voting machine. 

128. In summary, the setup of the Sequoia Edge II in audio access mode is still too 
complicated for the average poll worker; marking and reviewing the ballot takes a very long time for 
the audio voter; the physical privacy shielding is even worse than it used to be with punch-card 
systems; and audio voters do not have any way of verifying the paper audit trail privately or 
otherwise. 

129. I am aware that Diebold, Sequoia, and ES&S all represent that they are working on 
making future improvements to the audio prompts and other capabilities of their DRE machines. 
However, like the two-switch input-control feature and other access options that have been promised 
by these vendors, these possible fiiture features are still not available on our real voting systems in 
our real polling places today. 

1 30. As my own experiences prove, it is certainly possible for some tenacious disabled 
persons to get through the voting process successfully on these Diebold TSx, Sequoia Edge 11, and 
ES&S iVolronic systems. However, that experienced computer and access technology users like 
myself have had such ftustrating experiences trying to use the Diebold TSx, Sequoia Edge II, and 
ES&S iVotronic DREs, clearly indicates that these systems have not been designed to provide 
appropriate access for the general disabled population. 

131. In summary, it is my opinion that the Diebold TSx, Sequoia Edge 11, and ES&S 
iVotronic DREs are not voting systems that meet HAVA and Colorado statutes' disability 
accommodation requirements. The Diebold TSx, Sequoia Edge 11, and ES&S iVotronic systems 
would require significant redesign to comply with federal and state legal requirements. 


22 



496 


0&/27/2e06 20: 45 5058818350 


CFFICE DEPOT2-229 


PAGE 02 


I declare under penalty of perjury under the Jaws ol the State of Colorado that the 
foregoing is true and correct and that this declaration was executed on June 27, 2006, at 
Albuquerque, New Mexico. 



23 



